CVE-2026-46374
Impact
In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion.
Patches
Versions 4.2.0 and up contain a configurable parse node limit, which is enabled by default, to prevent this manner of exploit.
Credit
Ori Nakar from Imperva Threat Research Team.
⚡ Watch CVE-2026-46374
Get an email if CVE-2026-46374 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.26% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 18% of all EPSS-scored CVEs.
Advisory coverage (1)
- highGHSA-73jc-5mrq-prw7: SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parserghsa · 2026-05-19
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-46374)