Package impact
npm / kysely
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-44635 | high | 7.5 | 7.5 | 2d ago | Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters (., [, ], *, **, ?). When attacker-controlle… | |||
| CVE-2026-33468 | unknown | — | — | 2mo ago | Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings | |||
| CVE-2026-33442 | unknown | — | — | 2mo ago | Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. | |||
| CVE-2026-32763 | unknown | — | — | 2mo ago | SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`. |