High
CVE-2026-41490
Dagster is an orchestration platform for the development, production, and observation of data assets. Prior to Dagster Core version 1.13.1 and prior to Dagster libraries version 0.29.1, the DuckDB, S…
Tag: DuckDB
All CVEs associated with "DuckDB". Page 1/1 • 10 CVEs.
About “DuckDB”
A curated feed of “DuckDB”-related CVEs appears below. We currently track 10 CVEs for this tag (all time). In the last 365 days, 4 were published. Average CVSS is 8.6 (all time; 7.6 over 365d), and 90% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE-327 - Use of a Broken or Risky Cryptographic Algorithm, CWE-506 - Embedded Malicious Code.
In our taxonomy this topic maps to a LOW impact class. Databases, proxies, and web servers often need coordinated restarts and config checks. Patch only modules you deploy, verify TLS and authentication, and tune limits. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
Support & lifecycle: duckdb
This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.
| Cycle | Release | Latest | EOL | LTS |
|---|---|---|---|---|
| 1.5 | 1.5.3 | - | ||
| 1.4 | 1.4.4 | Soon | LTS | |
| 1.3 | 1.3.2 | Expired | ||
| 1.2 | 1.2.2 | Expired | ||
| 1.1 | 1.1.3 | Expired | ||
| 1.0 | 1.0.0 | Expired |
Maintained Soon (≤ 180 days) Expired
Subscribe lifecycle: RSS · RSS (expired) · ICS
Subscribe CVEs: RSS for “DuckDB” · RSS (High+Critical only)
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2026-05-07
2026-03-18
High
CVE-2026-32611
Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use pa…
2025-11-12
Medium
CVE-2025-64429
DuckDB is a SQL database management system. DuckDB implemented block-based encryption of DB on the filesystem starting with DuckDB 1.4.0. There are a few issues related to this implementation. The Du…
2025-09-09
High
CVE-2025-59037
DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). A…
2025-03-20
High
CVE-2024-8099
A Server-Side Request Forgery (SSRF) vulnerability exists in the latest version of vanna-ai/vanna when using DuckDB as the database. An attacker can exploit this vulnerability by submitting crafted S…
Critical
CVE-2024-11958
A SQL injection vulnerability exists in the `duckdb_retriever` component of the run-llama/llama_index repository, specifically in the latest version. The vulnerability arises from the construction of…
Critical
CVE-2024-10835
In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /api/v1/editor/sql/run` allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers…
2024-10-18
Critical
CVE-2024-9264
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, le…
2024-07-24
High
CVE-2024-41672
DuckDB is a SQL database management system. In versions 1.0.0 and prior, content in filesystem is accessible for reading using `sniff_csv`, even with `enable_external_access=false`. This vulnerabilit…
2024-06-28
Critical
CVE-2024-5827
Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbit…