CVE-2026-28438

UNKNOWN 0.0

CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target connector didn't verify the configured table name before creating some SQL statements (ALTER TABLE). So, in the application code, if the table name is provided by an untrusted upstream, it expose vulnerability to SQL injection when target schema change. This issue has been patched in version 0.3.34.

CWE	CWE-89
Vendor	cocoindex-io
Product	cocoindex
Published	Mar 6, 2026
Last Updated	Mar 6, 2026

Stay Ahead of the Next One

Get instant alerts for cocoindex-io cocoindex

Be the first to know when new unknown vulnerabilities affecting cocoindex-io cocoindex are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

cocoindex-io / cocoindex

< 0.3.34

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/cocoindex-io/cocoindex/security/advisories/GHSA-59g6-v3vg-f7wc github.com: https://github.com/cocoindex-io/cocoindex/commit/ba2fc4a89e22d35572c64bd2990737c7913b0729