VulnerableCode Package Details - pkg:pypi/sqlfluff@2.3.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-hq1d-snxu-c3ae Aliases: CVE-2026-46373 GHSA-wmhf-fqc8-vxhh PYSEC-2026-209	SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.1.0.	4.1.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-m1q2-6xrj-4ycx Aliases: CVE-2026-46374 GHSA-73jc-5mrq-prw7 PYSEC-2026-210	SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.2.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.2.0.	4.2.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-hq1d-snxu-c3ae
Aliases:
CVE-2026-46373
GHSA-wmhf-fqc8-vxhh
PYSEC-2026-209

SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.1.0.

4.1.0
Affected by 1 other vulnerability.

VCID-m1q2-6xrj-4ycx
Aliases:
CVE-2026-46374
GHSA-73jc-5mrq-prw7
PYSEC-2026-210

SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.2.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.2.0.

4.2.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-14T03:23:15.828039+00:00	PyPI Importer	Affected by	VCID-m1q2-6xrj-4ycx	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-14T03:23:15.231954+00:00	PyPI Importer	Affected by	VCID-hq1d-snxu-c3ae	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-13T13:45:32.537841+00:00	Pypa Importer	Affected by	VCID-m1q2-6xrj-4ycx	https://github.com/pypa/advisory-database/blob/main/vulns/sqlfluff/PYSEC-2026-210.yaml	38.6.0
2026-06-13T13:45:31.740105+00:00	Pypa Importer	Affected by	VCID-hq1d-snxu-c3ae	https://github.com/pypa/advisory-database/blob/main/vulns/sqlfluff/PYSEC-2026-209.yaml	38.6.0