CVE-2026-40978 - High - CVE-2026-40978: SQL Injection in CosmosDBVectorStore.doDelete()
Spring
·
2026-04-27
·
via Spring Security Advisories
Description SQL injection vulnerability in Spring AI's CosmosDBVectorStore allows attackers to execute arbitrary SQL queries via crafted document IDs. Only applications that use CosmosDBVectorStore and pass user-supplied input as document ids are affected. Affected Spring Products and Versions Spring AI: 1.0.0 - 1.0.x 1.1.0 - 1.1.x Mitigation Users of affected versions should upgrade to the corresponding fixed version. Affected version(s) Fix version Availability 1.0.x 1.0.6 OSS 1.1.x 1.1.5 OSS No further mitigation steps are necessary. Credit The issue was reported responsibly by SharlongWen References https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。