VYPR

SQLite

by SQLite

Source repositories

CVEs (71)

  • CVE-2025-71316CriJun 4, 2026
    risk 0.64cvss 9.8epss 0.00

    SQLite 'sqldiff.exe' does not securely handle the way the Microsoft Windows C runtime converts Unicode characters to ANSI codepages. An attacker could use the '-L' option to load an arbitrary DLL with a crafted command line argument string that results in command line file…

  • CVE-2017-10989CriJul 7, 2017
    risk 0.64cvss 9.8epss 0.09

    The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.

  • CVE-2025-6965CriJul 15, 2025
    risk 0.60cvss 9.8epss 0.73

    There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.

  • CVE-2026-11824HigJun 9, 2026
    risk 0.51cvss 7.8epss 0.00

    SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value…

  • CVE-2026-11822HigJun 9, 2026
    risk 0.51cvss 7.8epss 0.00

    SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can…

  • CVE-2025-70873HigMar 12, 2026
    risk 0.49cvss 7.5epss 0.00

    An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.

  • CVE-2018-8740HigMar 17, 2018
    risk 0.49cvss 7.5epss 0.08

    In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.

  • CVE-2017-15286HigOct 12, 2017
    risk 0.49cvss 7.5epss 0.03

    SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in shell.c because it fails to consider certain cases where `sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never initialized.

  • CVE-2025-7709MedSep 8, 2025
    risk 0.45cvss epss 0.00

    An integer overflow exists in the FTS5 https://sqlite.org/fts5.html  extension. It occurs when the size of an array of tombstone pointers is calculated and truncated into a 32-bit integer. A pointer to partially controlled data can then be written out of bounds.

  • CVE-2019-16168MedSep 9, 2019
    risk 0.42cvss 6.5epss 0.04

    In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."

  • CVE-2016-6153MedSep 26, 2016
    risk 0.38cvss 5.9epss 0.00

    os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current…

  • CVE-2017-13685MedAug 29, 2017
    risk 0.36cvss 5.5epss 0.02

    The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.

  • CVE-2022-35737Aug 3, 2022
    risk 0.04cvss epss 0.11

    SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.

  • CVE-2015-5895Sep 18, 2015
    risk 0.04cvss epss 0.09

    Multiple unspecified vulnerabilities in SQLite before 3.8.10.2, as used in Apple iOS before 9, have unknown impact and attack vectors.

  • CVE-2019-8457May 30, 2019
    risk 0.03cvss epss 0.45

    SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.

  • CVE-2015-7036Nov 22, 2015
    risk 0.03cvss epss 0.39

    The fts3_tokenizer function in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a SQL command that triggers an API call with a crafted pointer value in the…

  • CVE-2008-6593Apr 3, 2009
    risk 0.03cvss epss 0.03

    SQL injection vulnerability in LightNEasy/lightneasy.php in LightNEasy SQLite 1.2.2 and earlier allows remote attackers to inject arbitrary PHP code into comments.dat via the dlid parameter to index.php.

  • CVE-2008-6592Apr 3, 2009
    risk 0.03cvss epss 0.03

    thumbsup.php in Thumbs-Up 1.12, as used in LightNEasy "no database" (aka flat) and SQLite 1.2.2 and earlier, allows remote attackers to copy, rename, and read arbitrary files via directory traversal sequences in the image parameter with a modified cache_dir parameter containing…

  • CVE-2008-6590Apr 3, 2009
    risk 0.03cvss epss 0.03

    Multiple directory traversal vulnerabilities in LightNEasy "no database" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allow remote attackers to read arbitrary files via a .. (dot dot) in the page parameter to (1) index.php and (2) LightNEasy.php.

  • CVE-2019-19925Dec 24, 2019
    risk 0.01cvss epss 0.07

    zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.

Page 1 of 4