Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters (., […

CVE-2026-44635 affects Kysely, a type-safe TypeScript SQL query builder, in versions 0.26.0 to 0.28.16. The vulnerability exists in DefaultQueryCompiler.visitJSONPathLeg which fails to escape JSON-path metacharacters (., [, ], *, **, ?). When attacker-controlled input flows into specific methods like eb.ref(col, '->$').key(input) or .at(input), attackers can traverse beyond intended JSON keys into sibling and child fields. This allows unauthorized read access and write access in update statements to JSON sub-fields across MySQL, PostgreSQL, and SQLite databases. The vulnerability is fixed in version 0.28.17.