Yes, SQL injection could possible be an issue here, if the data in ColumnText is written such way.

But since the beginning of the UPDATE-statement is hardwired with "UPDATE", I right now can't see a way to manipulate the statement to run SQL injection code.