VYPR
High severity8.3NVD Advisory· Published May 29, 2026· Updated Jun 2, 2026

CVE-2026-10105

CVE-2026-10105

Description

agno 2.6.5 contains a SQL injection vulnerability in the ClickHouse vector database backend that allows attackers to inject arbitrary SQL expressions by supplying malicious metadata keys and values to the delete_by_metadata() method. Attackers can exploit the unsafe f-string interpolation in clickhousedb.py to delete all rows, target specific rows, or extract information through error-based or blind SQL injection techniques.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Agno/Agnoreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: 2.6.5

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.