GrepRules
Sign inPublish rule
Explore/cve-2026-47387-knex-raw-dynamic-value-injection

CVE-2026-47387: Knex Raw Dynamic Value Injection

Detected the direct injection of a dynamic object property (such as an AST node's `.value`) as the first argument to `knex.raw()`. This bypasses query parameterization and enables SQL injection if the property holds user-controlled data. The first argument of `knex.raw()` must be a static SQL string. Dynamic user inputs must be passed safely via the second a

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0TS
greprules fetch cve-2026-47387-knex-raw-dynamic-value-injection --engine opengrep

Description

Detected the direct injection of a dynamic object property (such as an AST node's `.value`) as the first argument to `knex.raw()`. This bypasses query parameterization and enables SQL injection if the property holds user-controlled data. The first argument of `knex.raw()` must be a static SQL string. Dynamic user inputs must be passed safely via the second a

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Quality signals
146 downloads0 direct146 via packs
· 0 stars · Quality score 72How quality works
Included packs
2 packs