SQLite sqldiff remote code execution via argument injection
CVE-2025-71316

9.2CRITICAL

Key Information:

Vendor: Sqlite
Status: Sqldiff
Vendor: CVE Published:; 4 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-71316?

SQLite 'sqldiff.exe' does not securely handle the way the Microsoft Windows C runtime converts Unicode characters to ANSI codepages. An attacker could use the '-L' option to load an arbitrary DLL with a crafted command line argument string that results in command line file arguments being misinterpreted as command line options. Fixed on or around 2025-12-26.

Affected Version(s)

sqldiff 0 < 2025-12-26

sqldiff 2025-12-26

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-71316 - Proof of Concept

References

https://sqlite.org/src/file/tool/winmain.c

patch

https://learn.microsoft.com/en-us/windows/win32/api/proce...

mitigation

https://i.blackhat.com/EU-24/Presentations/EU-24-Tsai-V2-...

exploit

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 4, 2026
👾
Exploit known to exist
Jun 4, 2026
Vulnerability published
Jun 4, 2026
Vulnerability Reserved
Jun 4, 2026

Credit

Vincent55

CVE-2025-71316 Data

JSON

Sqlite

Badges

What is CVE-2025-71316?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit