Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible with no authentication or interaction required; impact is limited to low integrity on search results with no confidentiality or availability effect.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was determined in 666ghj BettaFish up to 1.2.1. Impacted is the function _deduplicate_results of the file InsightEngine/agent.py of the component InsightEngine search-result Deduplication. Executing a manipulation can lead to partial string comparison. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.
AnalysisAI
Partial string comparison in BettaFish's InsightEngine deduplication logic (versions up to 1.2.1) allows remote unauthenticated attackers to manipulate search-result deduplication by crafting inputs that exploit the flawed comparison in _deduplicate_results within InsightEngine/agent.py. The integrity impact is limited - attackers can cause duplicate or otherwise manipulated entries to persist in search output - but the attack requires no authentication and no user interaction, and a public proof-of-concept exploit exists. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that BettaFish's InsightEngine search functionality is deployed and accessible over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) indicates this is remotely exploitable with low complexity, no authentication, and no user interaction - the most accessible attack surface posture. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker submits crafted search queries to a publicly accessible BettaFish InsightEngine endpoint, constructing result strings designed to exploit the partial string comparison in `_deduplicate_results` - for example, strings sharing a common prefix or suffix with legitimate entries. This causes the deduplication logic to either suppress valid results or allow duplicate manipulated entries through, corrupting the search output seen by users. … |
| Remediation | An upstream fix is available as a pending pull request (PR #689) at https://github.com/666ghj/BettaFish/pull/689, but it has not yet been merged or released as a tagged version - operators should monitor the repository and upgrade once a patched release is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-187 – Partial String Comparison
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41709
GHSA-v6hv-2p8r-43v4