Description: SQL injection vulnerabilities in the Snowflake Snowpark Python SDK (snowpark-python) versions prior to 1.53.0 could allow authenticated low-privilege users to execute SQL beyond their authorization scope. An attacker could exploit these vulnerabilities by embedding SQL payloads in source database column names to escalate privileges via the DataFrameReader.dbapi() API by supplying a specially crafted location parameter to DataFrameWriter write methods to redirect a COPY INTO to an arbitrary source query, or by including a backslash-single-quote sequence in an export path to defeat the normalize_path() sanitizer and inject SQL via DataFrame.to_csv(). Successful exploitation may result in source database compromise, unauthorized cross-tenant data exfiltration, or unauthorized read of Snowflake account data.
The CVSS Base Score is a score from 0 to 10 that represents the intrinsic severity of a vulnerability. A higher score indicates greater severity.
Database CWE: v4.18
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ↗
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Fonte: MITRE CWE
The EPSS (Exploit Prediction Scoring System) is a score from 0 to 1 that indicates the probability that a vulnerability will be exploited in the real world in the next 30 days. A higher value indicates a greater likelihood of exploitation.
The Percentile indicates how much higher this vulnerability's EPSS score is compared to all other vulnerabilities in the EPSS database. For example, a percentile of 0.90 (90%) means that 90% of vulnerabilities have an EPSS score equal to or lower than the current one.
*Data updated as of: 2026-07-09
The CISA KEV Catalog lists vulnerabilities that have been actively exploited in the real world. If a CVE is present in this catalog, it indicates that the threat is immediate and mitigation should be a top priority.
CVE CVE-2026-15062 is not present in the CISA KEV Catalog. This indicates that it is not currently classified by CISA as an actively exploited vulnerability.
No articles present on Red Hot Cyber.
Connection error to GitHub, or rate limit exceeded. Please try again later.