CVE-2026-32763

Name of the Vulnerable Software and Affected Versions Kysely versions up to and including 0.28.11

Description Kysely, a type-safe TypeScript SQL query builder, has a SQL injection issue in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg() function directly appends user-controlled values from .key() and .at() into single-quoted JSON path string literals without escaping single quotes. This allows an attacker to break out of the JSON path string context and inject arbitrary SQL. This behavior differs from sanitizeIdentifier(), which correctly handles delimiters for identifiers. The issue arises because both identifiers and JSON path keys are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected. PostgreSQL is not affected as it uses a different approach to JSON path construction that includes proper string literal sanitization. A proof-of-concept demonstrates the ability to exfiltrate data, such as an administrator password, from a SQLite database using a crafted JSON key name. This issue can be exploited in applications that dynamically select JSON fields, such as search APIs or admin panels.

Recommendations Versions prior to 0.28.12 are vulnerable. Update to version 0.28.12 or later to resolve the issue.