HIGH
agno-agi
CVE published 2026-05-29
CVE-2026-10105
A SQL injection vulnerability exists in agno 2.6.5 within the ClickHouse vector database backend. The `delete_by_metadata()` method in `clickhousedb.py` uses unsafe f-string interpolation when constructing SQL queries, allowing attackers to inject arbitrary SQL expressions through malicious metadata keys and values. This vulnerability was disclosed on 2026-05-29 and affects applications using agno's Click [truncated]