CVE-2026-28438CRITICAL 9.8EPSS p19.7%

CVE-2026-28438CVE-2026-28438

Description

CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target connector didn't verify the configured table name before creating some SQL statements (ALTER TABLE). So, in the application code, if the table name is provided by an untrusted upstream, it expose vulnerability to SQL injection when target schema change. This issue has been patched in version 0.3.34.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.28% probability of exploitation · percentile 19.7% · 2026-06-18T12:00:27Z
Published2026-03-06
Last modified2026-03-10

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/cocoindex-io/cocoindex/commit/ba2fc4a89e22d35572c64bd2990737c7913b0729
  2. https://github.com/cocoindex-io/cocoindex/security/advisories/GHSA-59g6-v3vg-f7wc

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-40978
CVE
CVE-2026-22730
CVE
CVE-2026-27413
CVE
CVE-2025-62228
CVE
CVE-2026-24713
CVE
CVE-2025-62422
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.