{"schema_version": "1.6.1", "id": "CVE-2025-27018", "summary": "SQL injection in MySQL provider core function", "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider.\n\nWhen user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by running SQL that was not intended.\nIt could lead to data corruption, modification and others.\nThis issue affects Apache Airflow MySQL Provider: before 6.2.0.\n\nUsers are recommended to upgrade to version 6.2.0, which fixes the issue.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "0"}, {"fixed": "6.2.0"}]}]}], "references": [{"type": "WEB", "url": "https://github.com/apache/airflow/pull/47254"}, {"type": "WEB", "url": "https://github.com/apache/airflow/pull/47255"}, {"type": "WEB", "url": "https://lists.apache.org/thread/m8ohgkwz4mq9njohf66sjwqjdy28gvzf"}]}