CVE-2026-46374
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk12th percentile - higher than 12% of all known CVEs
Summary
SQLFluff is a modular SQL linter and auto-formatter that prior to version 4.2.0 had a vulnerability allowing untrusted users to submit malicious long SQL queries. This could lead to a Denial of Service attack through resource exhaustion.
Risk Assessment
Organizations using SQLFluff versions prior to 4.2.0 are at risk of attacks that could lead to application unavailability due to resource exhaustion.
Recommendation
It is recommended to upgrade SQLFluff to version 4.2.0 or later to mitigate this vulnerability.
Original NVD description (English source)
SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.2.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.2.0.

