Skip to main content

BettaFish CVE-2026-14687

| EUVDEUVD-2026-41709 MEDIUM
Partial String Comparison (CWE-187)
2026-07-05 VulDB GHSA-v6hv-2p8r-43v4
5.5
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-accessible with no authentication or interaction required; impact is limited to low integrity on search results with no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 05, 2026 - 01:27 vuln.today
CVSS changed
Jul 05, 2026 - 01:22 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)

DescriptionCVE.org

A vulnerability was determined in 666ghj BettaFish up to 1.2.1. Impacted is the function _deduplicate_results of the file InsightEngine/agent.py of the component InsightEngine search-result Deduplication. Executing a manipulation can lead to partial string comparison. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.

AnalysisAI

Partial string comparison in BettaFish's InsightEngine deduplication logic (versions up to 1.2.1) allows remote unauthenticated attackers to manipulate search-result deduplication by crafting inputs that exploit the flawed comparison in _deduplicate_results within InsightEngine/agent.py. The integrity impact is limited - attackers can cause duplicate or otherwise manipulated entries to persist in search output - but the attack requires no authentication and no user interaction, and a public proof-of-concept exploit exists. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach BettaFish InsightEngine over network
Delivery
Submit crafted search query input
Exploit
Trigger partial string comparison in _deduplicate_results
Execution
Bypass deduplication logic
Impact
Corrupt or manipulate search result output

Vulnerability AssessmentAI

Exploitation Exploitation requires that BettaFish's InsightEngine search functionality is deployed and accessible over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) indicates this is remotely exploitable with low complexity, no authentication, and no user interaction - the most accessible attack surface posture. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker submits crafted search queries to a publicly accessible BettaFish InsightEngine endpoint, constructing result strings designed to exploit the partial string comparison in `_deduplicate_results` - for example, strings sharing a common prefix or suffix with legitimate entries. This causes the deduplication logic to either suppress valid results or allow duplicate manipulated entries through, corrupting the search output seen by users. …
Remediation An upstream fix is available as a pending pull request (PR #689) at https://github.com/666ghj/BettaFish/pull/689, but it has not yet been merged or released as a tagged version - operators should monitor the repository and upgrade once a patched release is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14687 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy