Pgbouncer

2 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2025-12819 HIGH PATCH This Week

Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.

Information Disclosure Ubuntu Debian Pgbouncer
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-2291 HIGH This Week

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure PostgreSQL Pgbouncer Debian Linux
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-12819
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.

Information Disclosure Ubuntu Debian +1
NVD
CVE-2025-2291
EPSS 0% CVSS 8.1
HIGH This Week

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure PostgreSQL Pgbouncer +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy