Kysely SQL Injection Vulnerability Identified

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the Kysely JavaScript package, affecting versions 0.26.0 through 0.28.16. These vulnerabilities are related to JSON-path traversal and SQL injection, allowing attackers to access and modify sensitive data. This advisory highlights the critical business risk associated with these vulnerabilities, as they can lead to unauthorized access to sensitive data and potentially disrupt business operations. The affected package is widely used in various applications, making prompt attention to this advisory crucial.[emaillocker id="1283"]

• CVE-2026-44635 with a CVSS score of 7.5 – This vulnerability allows for JSON-path traversal and SQL injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` and `.at()`, enabling attackers to access and modify sensitive data.
• CVE-2026-44636 with a CVSS score of 6.5 – This vulnerability allows for JSON-path traversal and SQL injection via unsanitized path-leg metacharacters in `DefaultQueryCompiler.visitJSONPathLeg`, enabling attackers to access and modify sensitive data.

The identified vulnerabilities pose a significant risk to business operations, as they can lead to unauthorized access to sensitive data and potentially disrupt business operations. It is essential to address these vulnerabilities promptly to prevent potential security breaches and reputational damage.

RECOMMENDATION:

• We recommend you to update kysely to version 0.28.17.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-pv5w-4p9q-p3v2