What is GHSA-wmhf-fqc8-vxhh?

GHSA-wmhf-fqc8-vxhh is a security advisory published by GitHub Security Advisories with High severity. SQLFluff: Recursive Stack Overflow in Parser

Which CVE IDs does GHSA-wmhf-fqc8-vxhh cover?

GHSA-wmhf-fqc8-vxhh covers the following CVE IDs: CVE-2026-46373. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-wmhf-fqc8-vxhh?

GHSA-wmhf-fqc8-vxhh has a CVSS v3 base score of 7.5, published by GitHub Security Advisories.

Which products are affected by GHSA-wmhf-fqc8-vxhh?

GHSA-wmhf-fqc8-vxhh affects 1 product, including: pip/sqlfluff:\u003c 4.1.0.

GHSA-wmhf-fqc8-vxhhHighCVSS 7.5

SQLFluff: Recursive Stack Overflow in Parser

Vendor

GitHub Security Advisories

Published

May 19, 2026

Last Modified

May 19, 2026

🔗 CVE IDs covered (1)

CVE-2026-46373 →

📋 Description

### Impact In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion. ### Patches Versions 4.1.0 and up contain a configurable recursion limit, which is enabled by default, to prevent this manner of exploit. ### Credit Ori Nakar from Imperva Threat Research Team.

🎯 Affected products1

pip/sqlfluff:< 4.1.0

🔗 References (2)

https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-wmhf-fqc8-vxhh
https://github.com/advisories/GHSA-wmhf-fqc8-vxhh