CVE-2026-46373

Source
https://cve.org/CVERecord?id=CVE-2026-46373
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46373.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46373
Aliases
Downstream
Published
2026-06-09T22:38:33.313Z
Modified
2026-07-08T08:13:48.332077184Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
SQLFluff: Recursive Stack Overflow in Parser
Details

SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.1.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46373.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-674"
    ]
}
References

Affected packages

Git / github.com/sqlfluff/sqlfluff

Affected ranges

Type
GIT
Repo
https://github.com/sqlfluff/sqlfluff
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:sqlfluff:sqlfluff:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.1.0"
        }
    ]
}

Affected versions

0.*
0.0.1
0.0.2
0.0.3
0.0.6
0.0.7
0.1.0
0.1.4
0.1.5
0.10.0
0.10.1
0.11.0
0.11.1
0.11.2
0.12.0
0.13.0
0.13.1
0.13.2
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.4.0
0.4.0a1
0.4.0a2
0.4.0a3
0.4.1
0.5.4
0.5.5
0.5.6
0.6.0
0.6.0a1
0.6.0a2
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.7.0
0.7.0a1
0.7.0a2
0.7.0a5
0.7.0a6
0.7.0a7
0.7.0a8
0.7.1
0.8.0
0.8.1
0.8.2
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
1.*
1.0.0
1.1.0
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
2.*
2.0.0
2.0.0a1
2.0.0a2
2.0.0a3
2.0.0a4
2.0.0a5
2.0.0a6
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0
2.2.1
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
3.*
3.0.0
3.0.0a1
3.0.0a2
3.0.0a3
3.0.0a4
3.0.0a5
3.0.0a6
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.1.0
3.1.1
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.3.0
3.3.1
3.4.0
3.4.1
3.4.2
3.5.0
4.*
4.0.0
4.0.0a1
4.0.0a2
4.0.0a3
4.0.1
4.0.1.post1
4.0.2
4.0.3
4.0.4
4.0.4a1
Other
untagged-0ddecca233f58d1186e1
untagged-1900b8efc1b9d793637f
untagged-eb9d263623ead02fd9ca

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46373.json"