Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-3sf6-zg3b-c7cp

Summary Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL. This is inconsistent with `sanitizeIdentifier()`, which properly doubles delimiter characters for identifiers — both are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected. Version 0.28.12 fixes the issue.

Aliases

alias	CVE-2026-32763

alias	GHSA-wmrf-hv6w-mr66

Fixed_packages

url pkg:npm/kysely@0.28.12

purl pkg:npm/kysely@0.28.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3xk5-x7dd-8bhw

vulnerability	VCID-eum9-a3r5-fffe

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.28.12

Affected_packages

url pkg:npm/kysely@0.26.0

purl pkg:npm/kysely@0.26.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.26.0

url pkg:npm/kysely@0.26.1

purl pkg:npm/kysely@0.26.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.26.1

url pkg:npm/kysely@0.26.2

purl pkg:npm/kysely@0.26.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.26.2

url pkg:npm/kysely@0.26.3

purl pkg:npm/kysely@0.26.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.26.3

url pkg:npm/kysely@0.27.0

purl pkg:npm/kysely@0.27.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.27.0

url pkg:npm/kysely@0.27.1

purl pkg:npm/kysely@0.27.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.27.1

url pkg:npm/kysely@0.27.2

purl pkg:npm/kysely@0.27.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.27.2

url pkg:npm/kysely@0.27.3

purl pkg:npm/kysely@0.27.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.27.3

url pkg:npm/kysely@0.27.4

purl pkg:npm/kysely@0.27.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.27.4

url pkg:npm/kysely@0.27.5

purl pkg:npm/kysely@0.27.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.27.5

url pkg:npm/kysely@0.27.6

purl pkg:npm/kysely@0.27.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.27.6

url pkg:npm/kysely@0.28.0

purl pkg:npm/kysely@0.28.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.28.0

url pkg:npm/kysely@0.28.1

purl pkg:npm/kysely@0.28.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.28.1

url pkg:npm/kysely@0.28.2

purl pkg:npm/kysely@0.28.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.28.2

url pkg:npm/kysely@0.28.3

purl pkg:npm/kysely@0.28.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.28.3

url pkg:npm/kysely@0.28.4

purl pkg:npm/kysely@0.28.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.28.4

url pkg:npm/kysely@0.28.5

purl pkg:npm/kysely@0.28.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.28.5

url pkg:npm/kysely@0.28.6

purl pkg:npm/kysely@0.28.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.28.6

url pkg:npm/kysely@0.28.7

purl pkg:npm/kysely@0.28.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.28.7

url pkg:npm/kysely@0.28.8

purl pkg:npm/kysely@0.28.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.28.8

url pkg:npm/kysely@0.28.9

purl pkg:npm/kysely@0.28.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.28.9

url pkg:npm/kysely@0.28.10

purl pkg:npm/kysely@0.28.10

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.28.10

url pkg:npm/kysely@0.28.11

purl pkg:npm/kysely@0.28.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xj5-7wxc-dkbw

vulnerability	VCID-3sf6-zg3b-c7cp

vulnerability	VCID-3xk5-x7dd-8bhw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/kysely@0.28.11

References

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-32763

reference_id

reference_type

scores

value	0.00021
scoring_system	epss
scoring_elements	0.06106
published_at	2026-06-11T12:55:00Z

value	0.00021
scoring_system	epss
scoring_elements	0.06111
published_at	2026-06-14T12:55:00Z

value	0.00021
scoring_system	epss
scoring_elements	0.06129
published_at	2026-06-12T12:55:00Z

value	0.00021
scoring_system	epss
scoring_elements	0.06123
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-32763

reference_url

https://github.com/kysely-org/kysely

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/kysely-org/kysely

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-32763

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-32763

reference_url

https://github.com/kysely-org/kysely/commit/0a602bff2f442f6c26d5e047ca8f8715179f6d24

reference_id

0a602bff2f442f6c26d5e047ca8f8715179f6d24

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-21T03:04:47Z/

url

https://github.com/kysely-org/kysely/commit/0a602bff2f442f6c26d5e047ca8f8715179f6d24

reference_url

https://github.com/advisories/GHSA-wmrf-hv6w-mr66

reference_id

GHSA-wmrf-hv6w-mr66

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-wmrf-hv6w-mr66

reference_url

https://github.com/kysely-org/kysely/security/advisories/GHSA-wmrf-hv6w-mr66

reference_id

GHSA-wmrf-hv6w-mr66

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-21T03:04:47Z/

url

https://github.com/kysely-org/kysely/security/advisories/GHSA-wmrf-hv6w-mr66

reference_url

https://github.com/kysely-org/kysely/releases/tag/v0.28.12

reference_id

v0.28.12

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-21T03:04:47Z/

url

https://github.com/kysely-org/kysely/releases/tag/v0.28.12

Weaknesses

cwe_id	89
name	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
description	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 7.0 - 8.9

Exploitability 0.5

Weighted_severity 8.0

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3sf6-zg3b-c7cp

Vulnerability Instance