Vendor
A high-severity SQL injection vulnerability, CVE-2026-61461, exists in the MyScale vector store backend of Dify versions prior to 1.16.0-rc1, allowing attackers with low privileges to execute arbitrary SQL commands via unsanitized search parameters, leading to unauthorized data manipulation in the underlying ClickHouse database.