CVE-2026-28438

描述

### Impact The Doris target connector didn't verify the configured table name before creating some SQL statements (`ALTER TABLE`). So, in the application code, if the table name is provided by an untrusted upstream, it expose vulnerability to SQL injection when target schema change. ### Patches Yes, it's fixed in cocoindex 0.3.34: we start to validate table names passed to Doris target at entry point and error out immediately if it's not a valid identifier. ### Workarounds Users should make sure table names used to configure CocoIndex targets are valid, regardless of this fix. Which means - The table name comes from a trusted source (e.g. for most cases it's just a fixed string literal). - Even if it comes from an untrusted source (e.g. provided by end user), it should be validated before using it to configure the Doris target for CocoIndex.

如何修補 CVE-2026-28438

要修補 CVE-2026-28438,請將受影響套件升級到下列已修補版本。

• —升級至 0.3.34 或更新版本

CVE-2026-28438 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 0.3.34

CVSS 分數

參考連結(4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-28438
• PATCHgithub.com/cocoindex-io/cocoindex
• WEBgithub.com/cocoindex-io/cocoindex/commit/ba2fc4a89e22d35572c64bd2990737c7913b0729
• WEBgithub.com/cocoindex-io/cocoindex/security/advisories/GHSA-59g6-v3vg-f7wc