Description

Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL. This is inconsistent with `sanitizeIdentifier()`, which properly doubles delimiter characters for identifiers — both are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected. Version 0.28.12 fixes the issue.

INFO

Published Date :

2026-03-19T23:14:58.747Z

Last Modified :

2026-03-21T03:05:22.505Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32763 vulnerability.

Vendors Products
Kysely-org
  • Kysely
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32763.

URL Resource
https://github.com/kysely-org/kysely/commit/0a602bff2f442f6c26d5e047ca8f8715179f6d24 cve-icon cve-icon
https://github.com/kysely-org/kysely/releases/tag/v0.28.12 cve-icon cve-icon
https://github.com/kysely-org/kysely/security/advisories/GHSA-wmrf-hv6w-mr66 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact