Skip to main content

PostgreSQL CVE-2026-40906

| EUVD-2026-24475 CRITICAL
SQL Injection (CWE-89)
2026-04-21 GitHub_M
SQLi PostgreSQL
9.9
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Patch released
Apr 22, 2026 - 21:24 nvd
Patch available
Patch available
Apr 21, 2026 - 22:17 EUVD
CVSS changed
Apr 21, 2026 - 21:22 NVD
10.0 (CRITICAL) 9.9 (CRITICAL)
EUVD ID Assigned
Apr 21, 2026 - 21:01 euvd
EUVD-2026-24475
CVE Published
Apr 21, 2026 - 20:05 nvd
CRITICAL 9.9

DescriptionNVD

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.

Analysis

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Vendor StatusVendor

Share

CVE-2026-40906 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy