Back to CVE List

CVE-2026-61461

HIGH SEVERITY

CVSS Score & Metrics

Base Score
8.8 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vulnerability Description

Dify before 1.16.0-rc1 contains a SQL injection vulnerability in the MyScale vector store backend that allows attackers to execute arbitrary SQL by supplying unsanitized search parameters to the search_by_full_text method without escaping or parameterization. Attackers can inject malicious SQL through the search parameters to read, modify, or delete data in the underlying ClickHouse database.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-89
Source
NVD
Vendor
langgenius
Product
dify

External References

Discussion (0)

Add Comment

No comments yet. Be the first!