Source: sqlfluff Version: 3.5.0-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for sqlfluff. CVE-2026-46373[0]: | SQLFluff is a modular SQL linter and auto-formatter with support for | multiple dialects and templated code. Prior to version 4.1.0, in | deployments where untrusted users can provide SQL queries to be | linted, an untrusted user can submit a malicious query with | deliberate excessive nesting to any application using the parser to | trigger a Denial of Service through resource exhaustion. This issue | has been patched in version 4.1.0. CVE-2026-46374[1]: | SQLFluff is a modular SQL linter and auto-formatter with support for | multiple dialects and templated code. Prior to version 4.2.0, in | deployments where untrusted users can provide SQL queries to be | linted, an untrusted user can submit a malicious long query to any | application using the parser to trigger a Denial of Service through | resource exhaustion. This issue has been patched in version 4.2.0. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-46373 https://www.cve.org/CVERecord?id=CVE-2026-46373 https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-wmhf-fqc8-vxhh [1] https://security-tracker.debian.org/tracker/CVE-2026-46374 https://www.cve.org/CVERecord?id=CVE-2026-46374 https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-73jc-5mrq-prw7 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
