CVE Catalog

CVE-2026-46374

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

12th percentile - higher than 12% of all known CVEs

Summary

SQLFluff is a modular SQL linter and auto-formatter that prior to version 4.2.0 had a vulnerability allowing untrusted users to submit malicious long SQL queries. This could lead to a Denial of Service attack through resource exhaustion.

Risk Assessment

Organizations using SQLFluff versions prior to 4.2.0 are at risk of attacks that could lead to application unavailability due to resource exhaustion.

Recommendation

It is recommended to upgrade SQLFluff to version 4.2.0 or later to mitigate this vulnerability.

Original NVD description (English source)

SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.2.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.2.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS