Skip to main content

Schemahero CVE-2026-33643

| EUVDEUVD-2026-17137 HIGH
SQL Injection (CWE-89)
2026-03-30 cve@mitre.org
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 30, 2026 - 16:22 euvd
EUVD-2026-17137
Analysis Generated
Mar 30, 2026 - 16:22 vuln.today
CVE Published
Mar 30, 2026 - 16:16 nvd
HIGH 7.4

DescriptionCVE.org

SQL Injection vulnerability in SchemaHero 0.23.0 via the column parameter to the mysqlColumnAsInsert function in file plugins/mysql/lib/column.go.

AnalysisAI

SQL injection in SchemaHero 0.23.0 allows remote attackers to execute arbitrary SQL commands through the column parameter in the mysqlColumnAsInsert function located in plugins/mysql/lib/column.go. The vulnerability affects the MySQL plugin component and enables attackers to manipulate database queries, potentially leading to unauthorized data access, modification, or deletion. Public proof-of-concept code is available, and CVSS/EPSS data are not yet assigned by NVD.

Technical ContextAI

SchemaHero is a Kubernetes-native schema management tool that uses database-specific plugins to handle schema migrations. The MySQL plugin contains a function (mysqlColumnAsInsert) that processes column definitions for INSERT statement generation. The SQL injection flaw exists in how the column parameter is handled without sufficient input validation or parameterized query use, allowing attacker-controlled input to be directly concatenated into SQL queries. This is a classic CWE-89 (SQL Injection) where user-supplied data reaches the SQL query execution context without proper escaping or prepared statement mechanisms.

RemediationAI

Upgrade SchemaHero immediately to a patched version released after 0.23.0; check the official SchemaHero GitHub repository (https://github.com/schemahero/schemahero) for the next available release with SQL injection fixes applied to plugins/mysql/lib/column.go. Until patching is possible, restrict network access to SchemaHero APIs and CLI endpoints to trusted administrative networks only, and avoid using SchemaHero 0.23.0 for any new schema migrations. Review the proof-of-concept documentation at https://github.com/b0b0haha/SchemaHero--Sqlinjection/blob/main/README.md to understand the attack surface and validate whether your deployment is exposed.

Share

CVE-2026-33643 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy