What happened
CVE-2026-14687 (CVSS 5.3 Medium, published 2026-07-05) is a logic flaw in an AI search-agent's result-deduplication routine that uses substring rather than exact comparison.
Why it matters
Low blast radius — primarily affects result-quality/dedup correctness in a niche AI search agent rather than confidentiality or code execution, kept as a precise catalogued finding.
Attack vector
The _deduplicate_results function uses partial (substring) string comparison instead of exact matching, remotely exploitable to bypass deduplication logic.
Affected systems
666ghj BettaFish ≤ 1.2.1 (InsightEngine/agent.py)
Mitigation
No fix confirmed at disclosure; use exact-match/hash-based deduplication as a workaround.