Vulnerability  ·  2026-07-07

BettaFish InsightEngine — Partial String Comparison in Search-Result Deduplication

VulnerabilityLow impactGlobalCVE-2026-14687
BettaFish's search-result deduplication logic in its agentic InsightEngine module uses a substring/partial match instead of an exact comparison, allowing manipulation of which results are considered duplicates.
Low-severity logic flaw with narrow real-world exposure; included for completeness as a precisely catalogued CVE in an AI agent search framework.
The _deduplicate_results function in InsightEngine/agent.py performs a partial rather than exact string comparison, which a remote attacker can manipulate to bypass deduplication logic and affect search-result handling.
666ghj BettaFish up to 1.2.1
Upgrade past 1.2.1 or patch _deduplicate_results to use exact comparison; check upstream repository for a fix.
NVD CVE-2026-14687BettaFish GitHub
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →