Description
A vulnerability was determined in 666ghj BettaFish up to 1.2.1. Impacted is the function _deduplicate_results of the file InsightEngine/agent.py of the component InsightEngine search-result Deduplication. Executing a manipulation can lead to partial string comparison. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.
Published: 2026-07-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw was identified in the _deduplicate_results function of the InsightEngine component in 666ghj BettaFish. The bug allows an attacker to manipulate the deduplication process through partial string comparison. Because the comparison logic is performed on user‑supplied data, an attacker can craft input that bypasses intended checks, potentially leading to unauthorized access or data corruption. The weakness maps to CWE‑187 (Partial Comparison) and CWE‑697 (Incorrect Verification of Cryptographic Signature).

Affected Systems

The vulnerability affects all installations of BettaFish up to version 1.2.1. The component in question is the InsightEngine search‑result Deduplication module located in the agent.py file. 666ghj, the vendor responsible for BettaFish, has not released an affected‑version list beyond the stated upper bound.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. No EPSS score is available, so the current likelihood of exploitation is unknown, and the entry is not listed in the CISA KEV catalog. The description states that the attack can be launched remotely and that the exploit has been publicly disclosed, suggesting that an attacker can reach the vulnerable function from an external network if the InsightEngine component is exposed. The exploitation path relies on sending specially crafted strings that trigger the insecure comparison logic; once the function behaves anomalously, the attacker can influence downstream processing or bypass deduplication safeguards. The lack of a publicly available patch at this time raises the urgency for administrators to monitor for related activity and to apply mitigation measures promptly.

Generated by OpenCVE AI on July 5, 2026 at 07:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install the newest BettaFish release containing a fix for the partial string comparison bug.
  • If a patch is not yet available, restrict external access to the InsightEngine component or disable the deduplication feature until a fix is applied.
  • Validate all user input passed to the _deduplicate_results function so that full string comparisons are performed instead of relying on the buggy logic.

Generated by OpenCVE AI on July 5, 2026 at 07:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 05 Jul 2026 01:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in 666ghj BettaFish up to 1.2.1. Impacted is the function _deduplicate_results of the file InsightEngine/agent.py of the component InsightEngine search-result Deduplication. Executing a manipulation can lead to partial string comparison. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.
Title 666ghj BettaFish InsightEngine search-result Deduplication agent.py _deduplicate_results partial string comparison
First Time appeared 666ghj
666ghj bettafish
Weaknesses CWE-187
CWE-697
CPEs cpe:2.3:a:666ghj:bettafish:*:*:*:*:*:*:*:*
Vendors & Products 666ghj
666ghj bettafish
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


Subscriptions

666ghj Bettafish
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-05T00:30:09.629Z

Reserved: 2026-07-04T04:42:15.722Z

Link: CVE-2026-14687

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T07:45:03Z

Weaknesses