GHSA-PV5W-4P9Q-P3V2 Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`

Summary Kysely 0.28.12 added a sanitizeStringLiteral call inside DefaultQueryCompiler.visitJSONPathLeg commit 0a602bf, PR 1727 to fix CVE-2026-32763 GHSA-wmrf-hv6w-mr66. The fix only doubles single quotes ' → ''; it does not escape JSON-path metacharacters ., , , , , ?. When attacker-controlled...

Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`

Summary Kysely 0.28.12 added a sanitizeStringLiteral call inside DefaultQueryCompiler.visitJSONPathLeg commit 0a602bf, PR 1727 to fix CVE-2026-32763 GHSA-wmrf-hv6w-mr66. The fix only doubles single quotes ' → ''; it does not escape JSON-path metacharacters ., , , , , ?. When attacker-controlled...

CVE-2026-6093 Corteza 2024.9.8 - SQL Injection in MSSQL JSON-path meta filter via incorrect T-SQL string escaping

Corteza contains a SQL injection vulnerability in its Microsoft SQL Server MSSQL backend when filtering Compose records by the meta field.This issue affects corteza: 2024.9.8...

PT-2026-39898

Name of the Vulnerable Software and Affected Versions Kysely versions prior to 0.28.16 Description Improper input handling in the JSON-path compiler allows attackers to access sensitive JSON data. The software fails to escape JSON-path metacharacters such as ., , , , , and ?, only doubling single...

MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys

Summary MikroORM's identifier-quoting helper Platform.quoteIdentifier and the postgres/mssql overrides and its JSON-path emitters Platform.getSearchJsonPropertyKey, quoteJsonKey did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When...

PT-2026-39290

Summary MikroORM's identifier-quoting helper Platform.quoteIdentifier and the postgres/mssql overrides and its JSON-path emitters Platform.getSearchJsonPropertyKey, quoteJsonKey did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When...

EUVD-2026-27869

Rucio has SQL Injection in FilterEngine Oracle JSON Path via DID Search API...

📄 Sequelize 6.37.7 SQL Injection

A remote SQL injection vulnerability exists Sequelize versions 6.37.7 and below in the JSON/JSONB where clause processing. When Sequelize parses a JSON path key containing ::, the value after :: is treated as a SQL cast type and is inserted into the generated SQL without proper validation. If an...

CVE-2026-29051 melange has Path Traversal via .PKGINFO in --persist-lint-results

melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, melange lint --persist-lint-results opt-in flag, also usable via melange build --persist-lint-results constructs output file paths by joining --out-dir with the arch and...

CVE-2026-33442 Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.

Kysely is a type-safe TypeScript SQL query builder. In versions 0.28.12 and 0.28.13, the sanitizeStringLiteral method in Kysely's query compiler escapes single quotes ' → '' but does not escape backslashes. On MySQL with the default BACKSLASHESCAPES SQL mode, an attacker can inject a backslash...

CVE-2026-33442 Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.

Kysely is a type-safe TypeScript SQL query builder. In versions 0.28.12 and 0.28.13, the sanitizeStringLiteral method in Kysely's query compiler escapes single quotes ' → '' but does not escape backslashes. On MySQL with the default BACKSLASHESCAPES SQL mode, an attacker can inject a backslash...

CVE-2026-33442 Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.

Kysely is a type-safe TypeScript SQL query builder. In versions 0.28.12 and 0.28.13, the sanitizeStringLiteral method in Kysely's query compiler escapes single quotes ' → '' but does not escape backslashes. On MySQL with the default BACKSLASHESCAPES SQL mode, an attacker can inject a backslash...

CVE-2026-33442

CVE-2026-33442 affects Kysely (TypeScript SQL query builder). In versions 0.28.12 and 0.28.13, the sanitizer for string literals only escapes single quotes, not backslashes, which under MySQL with BACKSLASH_ESCAPES can allow bypassing escaping in JSON path keys. This enables SQL injection via the...

CVE-2026-32763

Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg function appends user-controlled values from .key and .at directly into single-quoted JSON path...

GHSA-FR9J-6MVQ-FRCV Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.

Summary The sanitizeStringLiteral method in Kysely's query compiler escapes single quotes ' → '' but does not escape backslashes. On MySQL with the default BACKSLASHESCAPES SQL mode, an attacker can inject a backslash before a single quote to neutralize the escaping, breaking out of the JSON path...

Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.

Summary The sanitizeStringLiteral method in Kysely's query compiler escapes single quotes ' → '' but does not escape backslashes. On MySQL with the default BACKSLASHESCAPES SQL mode, an attacker can inject a backslash before a single quote to neutralize the escaping, breaking out of the JSON path...

SQL Injection

Overview kysely is a Type safe SQL query builder Affected versions of this package are vulnerable to SQL Injection via the visitJSONPathLeg function, which appends user-controlled values from .key and .at directly into single-quoted JSON path string literals without proper escaping. An attacker c...

CVE-2026-32763

Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg function appends user-controlled values from .key and .at directly into single-quoted JSON path...

PT-2026-26761

Name of the Vulnerable Software and Affected Versions Kysely versions 0.28.12 through 0.28.13 Description Kysely's sanitizeStringLiteral method inadequately handles backslashes when escaping single quotes, leading to potential SQL injection in MySQL databases with the default BACKSLASH ESCAPES SQ...

CVE-2026-32763 SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.

Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg function appends user-controlled values from .key and .at directly into single-quoted JSON path...