SQLite 'sqldiff.exe' does not securely handle the way the...
Critical severity
Unreviewed
Published
Jun 4, 2026
to the GitHub Advisory Database
•
Updated Jun 4, 2026
Description
Published by the National Vulnerability Database
Jun 4, 2026
Published to the GitHub Advisory Database
Jun 4, 2026
Last updated
Jun 4, 2026
SQLite 'sqldiff.exe' does not securely handle the way the Microsoft Windows C runtime converts Unicode characters to ANSI codepages. An attacker could use the '-L' option to load an arbitrary DLL with a crafted command line argument string that results in command line file arguments being misinterpreted as command line options. Fixed on or around 2025-12-26.
References