PatchSiren

kysely-org CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH kysely-org CVE published 2026-05-27

CVE-2026-44635

CVE-2026-44635 is a high-severity (CVSS 7.5) JSON path injection vulnerability in Kysely, a type-safe TypeScript SQL query builder. The issue affects versions 0.26.0 through 0.28.16, where the `DefaultQueryCompiler.visitJSONPathLeg` method fails to escape JSON-path metacharacters including `.`, `[`, `]`, `*`, `**`, and `?`. When attacker-controlled input flows into `eb.ref(col, '->$').key(input)` or `.at( [truncated]