CVE-2026-46373

HIGH 7.5

SQLFluff: Recursive Stack Overflow in Parser

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.1.0.

CWE	CWE-674
Vendor	sqlfluff
Product	sqlfluff
Published	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for sqlfluff sqlfluff

Be the first to know when new high vulnerabilities affecting sqlfluff sqlfluff are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

sqlfluff / sqlfluff

< 4.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-wmhf-fqc8-vxhh