Description
SQL Injection vulnerability in SchemaHero 0.23.0 via the column parameter to the mysqlColumnAsInsert function in file plugins/mysql/lib/column.go.
Published: 2026-03-30
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection leading to data compromise
Action: Immediate Patch
AI Analysis

Impact

SchemaHero 0.23.0 contains an unchecked inclusion of the column parameter in the mysqlColumnAsInsert function, allowing an attacker to inject arbitrary SQL. This flaw could enable unauthorized reading, modification, or deletion of database contents, representing a classic code injection vulnerability classified as CWE‑89.

Affected Systems

The only known affected build is SchemaHero version 0.23.0. Earlier or later releases are not listed as vulnerable.

Risk and Exploitability

The CVSS score of 7.4 denotes high impact, while an EPSS score below 1% indicates a low current likelihood of exploitation. The vulnerability is not present in the CISA KEV catalog. Attackers could exploit this flaw remotely if they can supply input to the column argument, such as through API calls or configuration files that invoke mysqlColumnAsInsert, potentially granting full data compromise when sufficient privileges exist.

Generated by OpenCVE AI on April 2, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SchemaHero to a version newer than 0.23.0 that addresses the mysqlColumnAsInsert injection flaw
  • If an upgrade is not immediately possible, restrict external access to the SchemaHero API or disable any components that invoke mysqlColumnAsInsert until the patch is applied
  • Verify that the patched version is running in production and monitor logs for unexpected SQL execution attempts

Generated by OpenCVE AI on April 2, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in SchemaHero via mysqlColumnAsInsert Function

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Schemahero
Schemahero schemahero
CPEs cpe:2.3:a:schemahero:schemahero:*:*:*:*:*:*:*:*
Vendors & Products Schemahero
Schemahero schemahero

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title SQL Injection in SchemaHero via mysqlColumnAsInsert Function

Mon, 30 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description SQL Injection vulnerability in SchemaHero 0.23.0 via the column parameter to the mysqlColumnAsInsert function in file plugins/mysql/lib/column.go.
References

Subscriptions

Schemahero Schemahero
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-30T19:32:16.909Z

Reserved: 2026-03-23T00:00:00.000Z

Link: CVE-2026-33643

cve-icon Vulnrichment

Updated: 2026-03-30T19:25:45.863Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T16:16:06.880

Modified: 2026-04-02T20:00:48.393

Link: CVE-2026-33643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:22Z

Weaknesses