Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
CocoIndex Doris Connector Allows SQL Injection via Malicious Table Names
CVE-2026-28438
GHSA-59g6-v3vg-f7wc
GHSA-59g6-v3vg-f7wc
Summary
CocoIndex's Doris connector in versions prior to 0.3.34 does not check table names, allowing an attacker to inject malicious SQL code. This can happen if an attacker controls the table name used in the connection. Update to version 0.3.34 or later to fix this issue.
What to do
- Update cocoindex to version 0.3.34.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | cocoindex | <= 0.3.34 | 0.3.34 |
| cocoindex | cocoindex | <= 0.3.34 | – |
Original title
CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target connector didn't verify the configured table name before creating some SQL statements (ALTER TABLE). S...
Original description
CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target connector didn't verify the configured table name before creating some SQL statements (ALTER TABLE). So, in the application code, if the table name is provided by an untrusted upstream, it expose vulnerability to SQL injection when target schema change. This issue has been patched in version 0.3.34.
nvd CVSS4.0
6.9
Vulnerability type
CWE-89
SQL Injection
- https://github.com/cocoindex-io/cocoindex/commit/ba2fc4a89e22d35572c64bd2990737c...
- https://github.com/cocoindex-io/cocoindex/security/advisories/GHSA-59g6-v3vg-f7w...
- https://github.com/advisories/GHSA-59g6-v3vg-f7wc
- https://nvd.nist.gov/vuln/detail/CVE-2026-28438
- https://github.com/cocoindex-io/cocoindex Product
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026