## Kysely SQL Injection Vulnerability Exposed: CVE-2026-32763 in JSON Path Compilation
A critical SQL injection vulnerability has been disclosed in the popular Kysely SQL query builder, exposing applications using its MySQL and SQLite dialects to potential data manipulation and exfiltration attacks. The flaw, tracked as CVE-2026-32763, resides in versions through 0.28.11 and stems from improper handling of user-controlled input during JSON path compilation.

The vulnerability is located within the `visitJSONPathLeg()` function. This function fails to properly escape user-supplied values passed through the `.key()` and `.at()` methods. Instead of sanitizing the input, it directly appends these values into single-quoted JSON path string literals (e.g., `'$.key'`). This oversight creates a direct vector for attackers to inject malicious SQL code, potentially allowing them to read, modify, or delete database contents depending on the application's permissions and configuration.

The security advisory, GHSA-wmrf-hv6w-mr66, was published by the Kysely organization. The fix is included in the dependency update to version 0.28.12, as indicated in the automated pull request from Renovate. This patch addresses the insecure string concatenation, implementing proper escaping or parameterization for the JSON path components. The impact is significant for any production system using the affected Kysely versions with MySQL or SQLite backends, requiring immediate patching to mitigate the risk of exploitation.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: SQL Injection, CVE-2026-32763, Database Security, Node.js, Vulnerability
- **Credibility**: unverified
- **Published**: 2026-03-31 11:27:19
- **ID**: 43055
- **URL**: https://whisperx.ai/en/intel/43055