PostgreSQL

Path traversal (Zip Slip) in gramps-web-api media archive import allows authenticated owner-privileged users to write arbitrary files outside intended directories via malicious ZIP archives. Exploitation requires owner-level access and enables cross-tree data corruption in multi-tree SQLite deployments or config file overwrite in volume-mounted configurations. Postgres+S3 deployments limit impact to ephemeral container storage. No public exploit identified at time of analysis.

Unauthenticated remote code execution (RCE) at root level in Aperi'Solve <3.2.1 allows attackers to execute arbitrary commands via unsanitized password input in JPEG upload functionality. Attack requires no authentication (PR:N) and low complexity (AC:L), with CVSS 9.3 critical severity. Publicly available exploit code exists via GitHub advisory. Attackers gain full container compromise with potential pivot to PostgreSQL/Redis databases and, in misconfigured deployments with Docker socket mounts, possible host system takeover. EPSS data not provided, but given unauthenticated network-based vector and public disclosure with fix details, exploitation risk is substantial for exposed instances.

SQL injection in Kestra orchestration platform's flow search endpoint (GET /api/v1/main/flows/search) enables remote code execution on the underlying PostgreSQL host. Authenticated users can trigger the vulnerability by visiting a malicious link, exploiting PostgreSQL's COPY TO PROGRAM feature to execute arbitrary OS commands on the Docker container host. Affects Kestra versions prior to 1.3.7 in default docker-compose deployments. With CVSS 9.9 (Critical) and low attack complexity requiring only low-privilege authentication, this represents a severe risk for container escape and host compromise scenarios.

JWT algorithm confusion in fast-jwt npm package allows remote attackers to forge authentication tokens with arbitrary claims by exploiting incomplete CVE-2023-48223 remediation. The vulnerability (CVSS 9.1 Critical) affects applications using RS256 with public keys containing leading whitespace—a common scenario in database-stored keys, YAML configurations, and environment variables. Attackers possessing the RSA public key (inherently public information) can craft HS256 tokens accepted as valid by the verifier, enabling privilege escalation (e.g., admin: false → admin: true). No authentication required (PR:N), network-exploitable (AV:N), low complexity (AC:L). No public exploit identified at time of analysis, though detailed proof-of-concept code exists in the advisory.

SQL injection in NocoBase plugin-workflow-sql through version 2.0.8 allows authenticated workflow users to execute arbitrary database queries. The vulnerable SQLInstruction class performs unparameterized string substitution of template variables (e.g., {{$context.data.fieldName}}) directly into raw SQL statements, enabling attackers to break out of string literals and inject malicious SQL commands. Publicly available exploit code exists demonstrating UNION-based injection to extract database credentials and system information. With default Docker deployments granting superuser database privileges, attackers gain full read/write access to the database including credential extraction, data modification, and table deletion capabilities.

Stored XSS in DbGate npm package escalates to remote code execution in Electron desktop app via unsanitized SVG icon rendering. Attackers who inject malicious SVG payloads into application definition files can execute arbitrary JavaScript when victims view matching database entries. In the Electron desktop client, insecure configuration (nodeIntegration: true, contextIsolation: false) allows XSS payloads to invoke Node.js APIs, enabling local code execution including file system access. Web deployments face session hijacking and credential theft. EPSS data not available; vendor patch released via GitHub commit a7d2ed1. No active exploitation confirmed (not in CISA KEV), but detailed proof-of-concept demonstrates both XSS and RCE paths.

SQL injection in Hi.Events open-source event management platform (versions 0.8.0-beta.1 through 1.7.0-beta) allows remote unauthenticated attackers to execute arbitrary SQL queries via unsanitized sort_by parameters passed to Eloquent's orderBy() method. The PostgreSQL backend supports stacked queries, enabling multi-statement injection. While CVSS 8.7 reflects high confidentiality impact and no authentication requirement, no public exploit code or CISA KEV listing exists at time of analysis. Vendor-released patch available in version 1.7.1-beta.

SQL injection in Alerta's Query string search API (q= parameter) allows unauthenticated remote attackers to execute arbitrary SQL commands against the underlying PostgreSQL database. The vulnerability stems from unsafe f-string interpolation of user-supplied search terms directly into SQL WHERE clauses without parameterization. Alerta versions prior to 9.1.0 are affected; the vulnerability has been patched in version 9.1.0 with no public exploit code identified at time of analysis.

SQL injection in SchemaHero 0.23.0 allows remote attackers to execute arbitrary SQL commands through the column parameter in the columnAsInsert function within the PostgreSQL plugin, potentially compromising database integrity and confidentiality. Public exploit documentation is available, indicating proof-of-concept code exists. CVSS and EPSS data are unavailable, limiting formal severity quantification.

DataRow.Decode in github.com/jackc/pgproto3/v2 fails to validate field length parameters, allowing a malicious or compromised PostgreSQL server to send a DataRow message with a negative field length that triggers a slice bounds out of range panic in Go applications using this library. Affected applications experience denial of service through unexpected termination when connecting to an untrusted or compromised database server. No public exploit code or active exploitation has been confirmed; however, the attack requires only network access to a PostgreSQL endpoint that the vulnerable application connects to.

SQL injection in n8n's Data Table Get node allows authenticated users with workflow modification permissions to execute arbitrary SQL queries against PostgreSQL backends, enabling data modification and deletion. Public exploit code exists for this vulnerability. Affected versions prior to 1.123.26, 2.13.3, and 2.14.1 should be upgraded immediately, or workflow creation/editing permissions should be restricted to trusted users only.

n8n workflow automation platform Community Edition contains an authorization bypass vulnerability allowing authenticated users with member-level privileges to steal plaintext credentials from other users. The flaw chains name-based credential resolution that doesn't enforce ownership with a permissions bypass affecting generic HTTP credential types (httpBasicAuth, httpHeaderAuth, httpQueryAuth). Attackers can decrypt and exfiltrate credentials without authorization, though native integration credentials remain unaffected.

Parse Server versions prior to 8.6.59 and 9.6.0-alpha.53 contain a SQL injection vulnerability in PostgreSQL aggregate operations that allows attackers with master key access to execute arbitrary SQL statements, escalating from application-level administrator privileges to database-level access. Only PostgreSQL-backed Parse Server deployments are affected; MongoDB deployments are not vulnerable. No CVSS score or EPSS data is currently available, and no KEV or active exploitation reports have been confirmed at this time.

SQL injection in PostgreSQL via unsafe backslash handling in Kysely's query compiler allows unauthenticated remote attackers to execute arbitrary SQL commands by injecting backslashes into JSON path string literals that bypass quote escaping. The vulnerability affects systems using the default BACKSLASH_ESCAPES SQL mode, where attackers can break out of sanitized JSON path expressions through specially crafted input. No patch is currently available.

SQLBot, an intelligent data query system based on large language models and RAG, contains a critical SQL injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that allows authenticated users with minimal privileges to achieve remote code execution on the backend server. SQLBot versions prior to 1.7.0 are affected, and attackers can exploit unsafe concatenation of Excel sheet names into PostgreSQL table names and COPY statements to inject malicious SQL commands. The vulnerability enables arbitrary command execution as the postgres user, database takeover, and sensitive file exfiltration including /etc/passwd and /etc/shadow.

Remote code execution in SQLBot 1.5.0 and below allows authenticated users to inject malicious prompts through unsanitized terminology uploads, enabling attackers to manipulate the LLM into generating arbitrary PostgreSQL commands executed with database privileges. The vulnerability stems from missing permission checks on the Excel upload API combined with inadequate semantic isolation when injecting user-controlled data into the system prompt. An attacker can exploit this to achieve code execution on the database or application server running as the postgres user.

PostgreSQL client applications using the pgproto3 Go library (github.com/jackc/pgproto3/v2) can be crashed remotely by malicious or compromised PostgreSQL servers sending specially crafted DataRow messages with negative field lengths, triggering slice bounds panics that result in denial of service. The vulnerability requires no authentication and has low attack complexity (CVSS:3.1/AV:N/AC:L/PR:N/UI:N), though the EPSS score of 0.07% (20th percentile) suggests minimal observed exploitation activity. Multiple detailed technical advisories exist including analysis from Security Infinity, and the issue is tracked in GitHub issue #2507 for the pgx project.

SQL injection in PostgreSQL StatementGenerator allows authenticated attackers to execute arbitrary SQL commands through unsanitized object keys in sort, select, and groupBy parameters on analytics endpoints. The vulnerability exists because column name validation was incompletely applied during a previous fix, leaving three query construction methods vulnerable to direct identifier injection. An attacker with valid credentials can exploit this to access or manipulate database contents without requiring user interaction.

Kysely through version 0.28.11 contains a SQL injection vulnerability in JSON path compilation affecting MySQL and SQLite dialects. The visitJSONPathLeg() function appends user-controlled values from .key() and .at() methods directly into single-quoted JSON path string literals without escaping single quotes, enabling attackers to break out of the string context and inject arbitrary SQL. A working proof-of-concept demonstrates UNION-based data exfiltration from SQLite databases. The vulnerability has CVSS score 8.2 and patches are available from the vendor.

Administrative users of Docker and PostgreSQL deployments can exploit an incomplete path validation in the `POST /api/file/globalCopyFiles` endpoint to copy sensitive files like container environment variables and Docker secrets from restricted locations (`/proc/`, `/run/secrets/`) into the workspace, where they become readable via standard file APIs. The vulnerability stems from reliance on a blocklist-based validation mechanism that fails to prevent access to these critical system paths. Since no patch is currently available, organizations should restrict administrative access to the affected API endpoint until an update is released.

A critical unrestricted file upload vulnerability exists in the Profile Picture Handler component of JawherKl's node-api-postgres library (versions up to 2.5), where improper validation in the path.extname function of index.js allows attackers to upload malicious files remotely without authentication. A proof-of-concept exploit is publicly available, making this vulnerability actively exploitable, though it is not currently listed in CISA's KEV catalog and no EPSS score is provided.

SQL injection in the User.getAll function of node-api-postgres up to version 2.5 allows remote attackers to manipulate the sort parameter and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification. Affected deployments using PostgreSQL with the vulnerable Node.js API library face risks of unauthorized data access, modification, and potential service disruption.

SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands against connected PostgreSQL, MySQL, and MSSQL databases through the built-in SQL Agent plugin. The vulnerability stems from unsafe string concatenation of table names in the getTableSchemaSql() method across all three database connectors, bypassing proper parameterization. Any user with access to invoke the SQL Agent can exploit this to read, modify, or delete sensitive database contents.

Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.

Veeam Backup & Replication allows a user with the Backup Viewer role (read-only) to escalate to remote code execution as the postgres database user. A read-only role achieving RCE represents a severe privilege escalation with scope change.

An attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a `$regex` query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level. This vulnerability only affects Parse Server deployments using PostgreSQL. The fix applies proper SQL identifier escaping to field names in the query handler and hardens query field name validation to reject malicious field names for all query types. There is no known workaround. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.36

Parse Server versions prior to 9.6.0-alpha.6 and 8.6.32 allow attackers to bypass class-level permission restrictions on protected fields by using dot-notation in query and sort parameters, enabling enumeration of sensitive field values through binary oracle attacks. This affects both MongoDB and PostgreSQL deployments and requires no authentication or user interaction. No patch is currently available for affected versions.

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31. Third Parse Server SQLi.

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31.

SQL injection in Parse Server before 9.6.0-alpha.2/8.6.28.

CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause information disclosure and remote code execution when SOCKS Proxy is enabled, and administrator credentials and PostgreSQL database credentials are known. SOCKS Proxy is disabled by default.

Command injection in Budibase 3.23.22 and earlier allows authenticated attackers with high privileges to execute arbitrary system commands by injecting malicious values into PostgreSQL connection parameters that are unsanitized in shell command construction. An attacker with administrative access can exploit this vulnerability to gain complete control over the underlying server hosting the Budibase instance. No patch is currently available for this vulnerability.

SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.

Arbitrary code execution in TimescaleDB 2.23.0 through 2.25.1 allows local authenticated users to execute malicious functions by shadowing built-in PostgreSQL functions through user-writable schemas in the search_path setting during extension upgrades. An attacker with database access can create malicious functions in writable schemas that are invoked instead of legitimate PostgreSQL functions, resulting in code execution with database privileges. No patch is currently available for affected installations.

SQL injection in Chartbrew before 4.8.3. PoC available.

Packetbeat's PostgreSQL protocol parser improperly validates array indices, allowing authenticated attackers on the same network to crash the monitoring service by sending malicious packets. An attacker exploiting this denial-of-service vulnerability can terminate the Packetbeat process, disrupting monitoring capabilities on systems with PostgreSQL protocol monitoring enabled. No patch is currently available.

Authenticated users in Apache Superset versions before 6.0.0 can execute write operations against PostgreSQL databases configured as read-only by crafting specially formatted SQL statements that evade validation checks. This allows an attacker with SQLLab access to perform unauthorized data modifications despite read-only protections being in place. No patch is currently available for affected versions.

Insufficient SQL function restrictions in Apache Superset before 4.1.2 allow authenticated users to execute sensitive database functions on ClickHouse engines that should have been blocked. An attacker with database access could leverage the incomplete DISALLOWED_SQL_FUNCTIONS list to bypass security controls and potentially extract or manipulate data. No patch is currently available for affected versions of Apache Superset, PostgreSQL, and related deployments.

Hardcoded SSH keys in Ruckus Network Director OVA < 4.5.0.56 for postgres user. Same across all appliances.

Hardcoded PostgreSQL credentials in Ruckus Network Director OVA < 4.5.0.54.

Denial of service in Traefik versions prior to 3.6.8 allows unauthenticated remote attackers to exhaust connection resources by exploiting improper timeout handling in STARTTLS request processing. An attacker can send a PostgreSQL SSLRequest prelude and then stall the connection indefinitely, bypassing the readTimeout protection and accumulating open connections until service availability is degraded. A patch is available in version 3.6.8.

Heap buffer overflow in the pg_trgm extension of PostgreSQL 18.0 and 18.1 allows authenticated database users to trigger memory corruption through specially crafted input strings. An attacker with database access could potentially achieve privilege escalation or cause service disruption, though exploit complexity is currently limited by restricted control over written data. No patch is currently available.

Arbitrary code execution in PostgreSQL results from insufficient validation of multibyte character lengths in text manipulation functions, allowing authenticated database users to trigger buffer overflows and execute commands with database process privileges. Affected versions include PostgreSQL 14.x before 14.21, 15.x before 15.16, 16.x before 16.12, 17.x before 17.8, and all versions before 18.2. No patch is currently available, leaving databases vulnerable to privilege escalation attacks from database-level users.

Arbitrary code execution in PostgreSQL pgcrypto module (versions before 14.21, 15.16, 16.12, 17.8, and 18.2) stems from a heap buffer overflow that allows attackers with database access to execute commands with the privileges of the PostgreSQL system user. An authenticated attacker can exploit this vulnerability by providing specially crafted ciphertext to trigger the overflow condition. No patch is currently available, leaving affected PostgreSQL installations vulnerable to privilege escalation and full system compromise.

PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21 contain insufficient input validation in the intarray extension's selectivity estimator function, enabling authenticated users with object creation privileges to execute arbitrary code with database server privileges. The vulnerability requires valid database credentials but allows complete system compromise through code execution at the OS level. No patch is currently available for affected deployments.

Improper validation of the "oidvector" type in PostgreSQL allows authenticated database users to read small amounts of server memory, potentially exposing sensitive data. This vulnerability affects PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21, with no patch currently available for impacted systems.

OpenMetadata versions prior to 1.11.8 expose JWT tokens for the privileged ingestion-bot account through the /api/v1/ingestionPipelines API endpoint, allowing any read-only user to escalate privileges and impersonate a highly privileged service account. With public exploit code available and no patch currently deployed on most instances, attackers can perform destructive actions within OpenMetadata and access sensitive metadata that should be restricted by role-based policies. This vulnerability affects OpenMetadata deployments and related systems like PostgreSQL that depend on its authentication tokens.

Privilege escalation in PostgreSQL Anonymizer allows authenticated users with CREATE privileges to gain superuser access by exploiting unsafe function execution within temporary views. This vulnerability affects PostgreSQL 15 and later, with heightened risk on PostgreSQL 14 instances due to default public schema permissions, and impacts all users unable to upgrade to version 3.0.1 or later. No patch is currently available for affected deployments.

PostgreSQL Anonymizer allows authenticated users to escalate to superuser privileges by injecting malicious code into custom operators placed in the public schema, which execute with elevated privileges during extension creation. This vulnerability primarily affects PostgreSQL 14 and instances upgraded from earlier versions, as PostgreSQL 15+ restricts public schema creation permissions by default. A patch is available in PostgreSQL Anonymizer version 3.0.1 and later.

Cross-collection IDOR in Payload CMS before v3.74.0 allows authenticated users to read and delete preferences from other authentication collections when numeric user IDs overlap in PostgreSQL or SQLite deployments. This vulnerability affects multi-auth environments where default auto-increment IDs create collisions across separate user collections. An attacker with valid credentials in one authentication domain can access and manipulate sensitive preference data belonging to users in different authentication domains.

SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database. [CVSS 8.6 HIGH]

SQLBot is an intelligent data query system based on a large language model and RAG. [CVSS 6.1 MEDIUM]

Hasura GraphQL 1.3.3 has a remote code execution vulnerability allowing attackers to execute arbitrary shell commands through the GraphQL endpoint.

Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes, specifically using SQLite and default `MEDIA_ROOT`, the full database file may be externally accessible, potentially on the Internet. The root cause is that the NixOS module configures the working directory of Tandoor Recipes, as well as the value of `MEDIA_ROOT`, to be `/var/lib/tandoor-recipes`....

Odine Solutions GateKeeper 1.0 contains a SQL injection vulnerability in the trafficCycle API endpoint that allows remote attackers to inject malicious database queries. [CVSS 8.2 HIGH]

Veeam allows Backup Operators to execute code as postgres via malicious interval or order parameters. Another operator-to-RCE escalation path with scope change.

Veeam allows Backup Administrators to execute code as postgres via a malicious password parameter. Scope change means OS-level compromise from application-level admin access.

An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451 and enables full remote code execution through unsanitized PostgreSQL init script filenames passed to shell commands. A public proof-of-concept exploit is available, and while not currently in CISA KEV, the vulnerability has a moderate EPSS score of 0.41% indicating some exploitation probability.

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

PostgreSQL SQL Injection (status_sql.php) in DB Electronica Telecomunicazioni S.p.A. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A remote code execution (RCE) vulnerability in the Postgres Drivers component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

The mcp-database-server (MCP Server) 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server, fails to implement adequate security controls to properly enforce a. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Dependency on Vulnerable Third-Party Component (CWE-1395) in the PostgreSQL backend in AxxonSoft Axxon One (C-Werk) 2.0.8 and earlier on Windows and Linux allows a remote attacker to escalate. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

pREST (PostgreSQL REST), is an API that delivers an application on top of a Postgres database. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

OpenEBS Local PV RawFile allows dynamic deployment of Stateful Persistent Node-Local Volumes & Filesystems for Kubernetes. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

aiven-db-migrate is an Aiven database migration tool. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

aiven-db-migrate is an Aiven database migration tool. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.

CVE-2025-1709 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

The application is vulnerable to SQL injection attacks. An attacker is able to dump the PostgreSQL database and read its content.

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

Critical authentication bypass vulnerability in Versa Director that exposes multiple services (SSH, PostgreSQL, and others) with default credentials on internet-facing deployments. The vulnerability affects Versa Director installations where default passwords remain unchanged, allowing unauthenticated remote attackers to gain complete system compromise (confidentiality, integrity, and availability impact). While no confirmed exploitation has been reported, proof-of-concept code has been publicly disclosed by security researchers, and the CVSS 9.8 score reflects the severity of unrestricted remote access with default credentials.

A security vulnerability in PingFederate OAuth2 grant duplication in PostgreSQL persistent storage (CVSS 2.1) that allows oauth2 requests. Remediation should follow standard vulnerability management procedures.

The PostgreSQL JDBC driver (pgjdbc) versions 42.7.4 through 42.7.6 contain an authentication bypass vulnerability where channel binding validation is incorrectly disabled, allowing man-in-the-middle attackers to intercept connections that administrators configured to require channel binding protection. Affected users running pgjdbc with channel binding set to 'required' (a non-default but security-conscious configuration) are vulnerable to credential interception and session hijacking despite believing their connections are protected. The vulnerability is fixed in version 42.7.7.

PostgreSQL Anonymizer v2.0 and v2.1 contain a vulnerability that allows a masked user to bypass the masking rules defined on a table and read the original data using a database cursor or the --insert option of pg_dump. This problem occurs only when dynamic masking is enabled, which is not the default setting. The problem is resolved in version 2.2.1

The bitnami/pgpool Docker image, and the bitnami/postgres-ha k8s chart, under default configurations, comes with an 'repmgr' user that allows unauthenticated access to the database inside the. Rated critical severity (CVSS 9.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.