Skip to main content

PostgreSQL CVE-2026-4190

| EUVDEUVD-2026-12251 MEDIUM
SQL Injection (CWE-89)
2026-03-15 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
Severity Changed
Apr 22, 2026 - 21:37 NVD
HIGH MEDIUM
CVSS changed
Apr 22, 2026 - 21:37 NVD
7.3 (HIGH) 6.9 (MEDIUM)
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
EUVD ID Assigned
Mar 15, 2026 - 20:00 euvd
EUVD-2026-12251
Analysis Generated
Mar 15, 2026 - 20:00 vuln.today
CVE Published
Mar 15, 2026 - 19:32 nvd
HIGH 7.3

DescriptionCVE.org

A vulnerability was detected in JawherKl node-api-postgres up to 2.5. This impacts the function User.getAll of the file models/user.js. The manipulation of the argument sort results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in the User.getAll function of node-api-postgres up to version 2.5 allows remote attackers to manipulate the sort parameter and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification. Affected deployments using PostgreSQL with the vulnerable Node.js API library face risks of unauthorized data access, modification, and potential service disruption.

Technical ContextAI

The node-api-postgres library is a Node.js API framework for PostgreSQL databases. The vulnerability stems from improper input sanitization in the User.getAll function located in models/user.js, where the 'sort' parameter is directly concatenated into SQL queries without proper escaping or parameterization. This is a classic SQL injection vulnerability (CWE-89), which occurs when user-supplied input is incorporated into SQL queries without adequate validation. Based on the CPE identifier (cpe:2.3:a:jawherkl:node-api-postgres:*:*:*:*:*:*:*:*), all versions up to and including 2.5 are affected.

RemediationAI

Given the vendor's non-responsiveness to the vulnerability disclosure, no official patch is available. Recommended mitigations include: 1) Immediately implement input validation and parameterized queries for the sort parameter in User.getAll function, 2) Consider forking the library and applying security fixes if continued use is necessary, 3) Migrate to an alternative, actively maintained PostgreSQL library for Node.js, 4) Implement Web Application Firewall (WAF) rules to filter potential SQL injection attempts as a temporary measure. Review the exploit details at https://hackmd.io/@YzU_KiOzT86cEbFQdBceVg/Bk56LQQYbe to understand attack patterns for detection.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

CVE-2026-4190 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy