CVE-2026-46373
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk12th percentile - higher than 12% of all known CVEs
Summary
SQLFluff is a modular SQL linter and auto-formatter that prior to version 4.1.0 had a vulnerability allowing untrusted users to submit malicious SQL queries. Such queries could lead to Denial of Service through resource exhaustion.
Risk Assessment
Organizations using SQLFluff versions prior to 4.1.0 are vulnerable to Denial of Service attacks, which may result in application downtime.
Recommendation
It is recommended to upgrade SQLFluff to version 4.1.0 or later to mitigate this vulnerability.
Original NVD description (English source)
SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.1.0.

