There are 156 CVEs which mention SQLite. Some of them are genuine and have been fixed. But many of them are really in the way software calls the SQLite API (e.g. unsanitized SQL), or in 'trunk' versions of SQLite which were never assigned a proper version number, or are things that the SQLite documentation prominently tells you about (e.g. until you say otherwise, FOREIGN KEYs are ignored). You can't dispute those CVEs. Because the statement in the CVE report is true. It's just something that won't affect a competent programmer. DRH should not need to waste hours reading every vulnerability site out there and writing a closely argued refutation every time someone gets 'points' by posting there. Report bugs, including vulnerabilities to the SQLite fora. They will get fixed or you will get an explanation (even from someone as far from the dev team as me) as to why they're not a problem.