CVE-2026-46374

In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion.

Versions 4.2.0 and up contain a configurable parse node limit, which is enabled by default, to prevent this manner of exploit.

Ori Nakar from Imperva Threat Research Team.