46 matches found
SQLite report about CVE-2025-29087
Duplicate of CVE-2025-3277...
SQLite report about CVE-2025-7709
An attacker who has complete control over the database content could create a corrupt FTS5 index resulting access to memory outside the bounds of an array due to integer overflow. Fixed on 2025-07-15...
SQLite report about CVE-2025-3277
A bug in the concatws SQL function can cause a write past the end of an array obtained from malloc. If an attacker can control the first argument to concatws, so that the separator string is large - more than 2MB - then an integer overflow in the calculation of the size of the result buffer might...
SQLite report about CVE-2025-7458
An attacker who can inject arbitrary SQL statements into an application might be able to cause an integer overflow resulting in a read off the end of an array. Fixed on 2023-03-16...
SQLite report about CVE-2025-6965
An attacker who can inject arbitrary SQL statements into an application might be able to cause an integer overflow resulting in a read off the end of an array. Fixed on 2025-06-27...
SQLite report about CVE-2025-52099
Duplicate of CVE-2025-29088...
SQLite report about CVE-2025-29088
Passing out-of-bounds arguments to the C-language API routine sqlite3dbconfigdb,SQLITEDBCONFIGLOOKASIDE,... can lead to a crash and denial of service. Reported by Forum post 48f365daec. Complaint addressed by check-in 2025-02-17T14:16Z...
SQLite report about CVE-2025-70873
When using the zipfile extension not a part of standard SQLite but usually included in builds of the CLI, a malformed ZIP file input can result in an out-of-bounds read. Reported by forum post 2025-12-06T16:46:32Z and fixed in trunk by check-in 2025-12-06T23:58:09.413Z...
SQLite report about CVE-2024-0232
An attacker who can inject arbitrary SQL statements into an application might be able to provoke a use-after-free bug in SQLite's JSON parser that can in theory lead to an application crash and denial of service. See forum thread b25edc1d4662 for the bug report...
SQLite report about CVE-2023-7104
This is a bug in the session extension of SQLite, not in the SQLite core. This bug is only reachable by applications that recompile SQLite using the -DSQLITEENABLESESSION compile-time option and then use the Session C-language APIs to process a changeset that has been subtly corrupted by an...
SQLite report about CVE-2023-32697
This is a bug in the SQLite JDBC library, which is a wrapper library that provides access to SQLite from Java. SQLite JDBC is created and maintained independently from SQLite. Despite the use of "SQLite" in the name, the SQLite JDBC library is not affiliated with the SQLite project in any way. Th...
SQLite report about CVE-2023-39939
This is not a bug in SQLite. This is an SQL injection bug in an application LuxCal Web Calendar that links against SQLite. Even though this CVE is not about SQLite, "SQLite" is mentioned in the description and so we list it here...
SQLite report about CVE-2023-39543
This is not a bug in SQLite. This is an XSS vulnerability in a separate application LuxCal Web Calendar that links against SQLite. The bug is in the application, not in SQLite. However "SQLite" is mentioned in the description and so we list it here...
SQLite report about CVE-2022-46908
This is a bug in the --safe command-line option of the command-line shell program that is available for accessing SQLite database files. The bug does not exist in the SQLite library. Nor is it an issue for the CLI as long as the user does not depend on the --safe option. It is not serious. It is...
SQLite report about CVE-2022-38627
This is not a bug in SQLite. This is an SQL injection bug in a specific PHP application. In other words, the bug is in the PHP application code, not in SQLite. Even though this CVE is not about SQLite, "SQLite" is mentioned in the publicity about the bug and so we list it here...
SQLite report about CVE-2022-24854
This CVE describes a bug in an application that uses SQLite, not in SQLite itself. SQLite is doing everything correctly. The application grants users the ability to run SQL statements, using SQLite, that can leak or change information that those users should not normally have access to. This is...
SQLite report about CVE-2022-21227
This CVE describes a bug in a third-party packages that provides a binding for SQLite to Node.js. The bug reported is in the third-party Node.js binding, not in SQLite itself. Do not be confused by the use of the word "SQLite" in the ambiguously-worded CVE description...
SQLite report about CVE-2022-35737
This bug is an array-bounds overflow. The bug is only accessible when using some of the C-language APIs provided by SQLite. The bug cannot be reached using SQL nor can it be reached by providing SQLite with a corrupt database file. The bug only comes up when very long string inputs greater than 2...
SQLite report about CVE-2021-23404
This is not a bug in SQLite. The bug is in a third-party application that uses SQLite and includes "sqlite" in its name. This CVE is included on the list because it mentions SQLite even though the bug has nothing to do with SQLite...
SQLite report about CVE-2021-20223
The problem identified by this CVE is not a vulnerability. It is a malfunction. A coding error causes FTS5 to sometimes return inconsistent and incorrect results under obscure circumstances, but no memory errors occur. details...
SQLite report about CVE-2021-45346
This CVE is misinformation. See the discussion around SQLite forum post 53de8864ba114bf...
SQLite report about CVE-2021-31239
This is a bug in the CLI. It allows a user with unrestricted shell access to cause a denial-of-service. Of course, there are a million easier ways for a user with unrestricted shell access to cause far worse mischief. The problem was in the appendvfs extension which is not a part of standard...
SQLite report about CVE-2021-36690
This bug is not in the SQLite core library, but rather in an experimental extension that is used to implement the .expert command in the CLI. The code that contains the bug does not appear in standard SQLite builds, though it is included in the sqlite3.exe command-line tool. Applications must lin...
SQLite report about CVE-2021-28305
This is not a bug in SQLite. The bug is in a third-party application that uses SQLite. SQLite is mentioned by name in the CVE description, however, so we have included the CVE in the list...
SQLite report about CVE-2021-20227
Malicious SQL statement causes read-after-free. No harm can come of this particular read-after-free instance, as far as anyone knows. The bug is undetectable without a memory sanitizer. The CVE claims that this bug is an RCE - a Remote Code Execution vulnerability, but that claim is incorrect. Th...
SQLite report about CVE-2021-0646
Duplicate of CVE-2020-13434...
SQLite report about CVE-2021-42169
This CVE has nothing whatsoever to do with SQLite. It is about a bug in application that happens to use SQLite. Since SQLite is mentioned in the CVE description, the CVE is included here to emphasize that this is not an SQLite bug...
SQLite report about CVE-2020-13871
Malicious SQL statement causes a read-only use-after-free memory error. details...
SQLite report about CVE-2020-13434
Malicious SQL statement involving the printf SQL function results in an integer overflow which can overwrite the stack with over 2 billion bytes of 0x30 or 0x20 ASCII '0' or ' '. Even though this is a stack overwrite, there is no known way to redirect control or otherwise escalate the level of...
SQLite report about CVE-2020-11656
Malicious SQL statement causes read-only use-after-free of memory allocation if SQLite is compile with -DSQLITEDEBUG. Does not affect release builds. details...
SQLite report about CVE-2020-11655
Malicious SQL statement causes a read using an uninitialized pointer and denial-of-service. details...
SQLite report about CVE-2020-15358
Malicious SQL statement causes a read past the end of a heap buffer. details...
SQLite report about CVE-2020-6405
Malicious SQL statement causes a NULL pointer dereference and denial-of-service details...
SQLite report about CVE-2020-13631
Malicious SQL statement an ALTER TABLE that tries to rename a virtual table into one of its own shadow tables causes an infinite loop and denial of service. details...
SQLite report about CVE-2020-13632
Malicious SQL statement causes a read of a NULL pointer in the matchinfo SQL function of the FTS3 extension, resulting in denial of service. details...
SQLite report about CVE-2020-13435
Malicious SQL statement causes a read access to a NULL pointer and denial of service. details...
SQLite report about CVE-2020-13630
Malicious SQL statement causes a read-only use-after-free, possibly resulting in an incorrect output from the snippet SQL function of the FTS3 extension. There is no known way to exfiltrate data or crash the application using this bug. details...
SQLite report about CVE-2020-9327
Malicious SQL statement causes a read using an uninitialized pointer and denial-of-service details...
SQLite report about CVE-2019-20218
Malicious SQL statement causes an uninitialized pointer read and denial-of-service. details...
SQLite report about CVE-2019-19926
Malicious SQL statement causes an uninitialized pointer read and denial-of-service. details...
SQLite report about CVE-2019-19925
Malicious SQL statement causes a NULL pointer dereference and in the Zipfile virtual table extension and denial-of-service. This is only possible when the optional Zipfile virtual table extension is deployed, which is not the case in default builds. details...
SQLite report about CVE-2019-19959
Malicious SQL statement causes a NULL pointer dereference in the Zipfile virtual table extension and denial-of-service. This is only possible when the optional Zipfile virtual table extension is deployed, which is not the case in default builds. details...
SQLite report about CVE-2019-19923
Malicious SQL statement causes a NULL pointer dereference and denial-of-service. details...
SQLite report about CVE-2019-19646
The PRAGMA integritycheck command might cause the byte-code for a prepared statement to loop indefinitely. This might enable a denial-of-service, if the application has not taken appropriate and prudent steps to limit the run-time of SQL statements. This is not a vulnerability, as there are...
SQLite report about CVE-2019-19924
Malicious SQL statement causes an uninitialized pointer reference and denial-of-service. details...
SQLite report about CVE-2019-19317
This CVE identifies a bug in a development check-in of SQLite. The bug never appeared in any official SQLite release. details...