Skip to main content

PostgreSQL

409 CVEs product

Monthly

CVE-2026-41167 CRITICAL PATCH Act Now

SQL injection in Jellystat versions prior to 1.1.10 escalates to remote code execution on the PostgreSQL database host. Authenticated attackers can inject arbitrary SQL via multiple API endpoints (`/api/getUserDetails`, `/api/getLibrary`), initially exfiltrating sensitive credentials from the `app_config` table (including Jellystat admin credentials and Jellyfin API keys). Because the application uses node-postgres simple query protocol allowing stacked queries, attackers can leverage PostgreSQL's `COPY ... TO PROGRAM` to achieve command execution on the database server. The project's default docker-compose.yml deploys PostgreSQL with superuser privileges, removing any privilege barriers to RCE. Vendor patch released in version 1.1.10 (GitHub commit 735fe7c confirmed). No active exploitation confirmed by CISA KEV, but publicly available exploit code exists given the detailed technical disclosure in GitHub Security Advisory GHSA-fj7c-2p5q-g56m.

Docker SQLi PostgreSQL
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-41640 npm HIGH POC PATCH GHSA This Week

SQL injection in NocoBase's @nocobase/database package allows authenticated users with record-creation privileges to execute arbitrary SQL queries and extract database credentials. The vulnerability exists in the queryParentSQL() function, which constructs recursive Common Table Expression (CTE) queries using string concatenation instead of parameterized queries when processing tree collections with string primary keys. An attacker can inject malicious SQL by creating records with crafted primary key values, triggering the vulnerability when recursive eager loading occurs. Successful exploitation leads to full database compromise, with confirmed extraction of administrator credentials (emails and password hashes) in testing against PostgreSQL. On databases where the service account has elevated privileges, attackers can achieve operating system command execution via PostgreSQL's COPY...TO PROGRAM feature. Vendor patch available via GitHub PR #9133.

Command Injection Debian SQLi PostgreSQL
NVD GitHub
CVSS 3.1
7.5
EPSS
4.2%
CVE-2026-41641 npm HIGH POC PATCH GHSA This Week

SQL injection in NocoBase plugin-collection-sql allows authenticated users with collection management permissions to bypass validation controls and execute arbitrary SQL queries. The checkSQL() function blocks dangerous keywords on collection creation and execution but is completely absent from the update endpoint, enabling attackers to create benign SQL collections then modify them with malicious queries to exfiltrate sensitive data including user credentials. Vendor patch available via GitHub PR #9134 and commit 851aee5. CVSS 7.2 reflects high privileges required (PR:H), but real-world impact is severe for environments where collection managers are not fully trusted administrators.

SQLi PostgreSQL Privilege Escalation
NVD GitHub
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-40906 HIGH PATCH This Week

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.

SQLi PostgreSQL Electric
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-39946 Go MEDIUM PATCH GHSA This Month

OpenBao 2.5.2 and earlier fails to properly quote PostgreSQL schema names during role revocation in the PostgreSQL database secrets engine, allowing authenticated high-privilege administrators to execute arbitrary SQL injection as the database management user. The vulnerability affects the credentials management workflow when revoking database roles, potentially compromising database integrity. A vendor-released patch (version 2.5.3) is available.

PostgreSQL SQLi Hashicorp Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-40346 npm MEDIUM PATCH GHSA This Month

{ url: trim(url), // User-controlled, no validation method, headers, params, timeout, ...(method.toLowerCase() !== 'get' && data != null ? { data: transformer ? await transformer(data) : data } : {}), }); ``` The `url` at line 98 comes directly from user workflow configuration with only whitespace trimming. **`packages/plugins/@nocobase/plugin-action-custom-request/src/server/actions/send.ts` lines 172-198:** ```typescript const axiosRequestConfig = { baseURL: ctx.origin, ...options, url: getParsedValue(url, variables), // User-controlled via template headers: { ... }, params: getParsedValue(arrayToObject(params), variables), data: getParsedValue(toJSON(data), variables), }; const res = await axios(axiosRequestConfig); // No IP validation ``` - No `request-filtering-agent` or SSRF library (confirmed via grep across entire codebase) - No private IP range filtering - No cloud metadata endpoint blocking - No URL scheme validation - No DNS rebinding protection 1. Authenticated user creates a workflow with HTTP Request node 2. Sets URL to `http://169.254.169.254/latest/meta-data/iam/security-credentials/` 3. Triggers the workflow 4. Server fetches AWS metadata and returns IAM credentials in workflow execution logs Alternatively via Custom Request action: 1. Create custom request with URL `http://127.0.0.1:5432` or `http://10.0.0.1:8080/admin` 2. Execute the action 3. Server makes request to internal service - **Cloud metadata theft**: AWS/GCP/Azure credentials via metadata endpoints - **Internal network access**: Scan and interact with services on private IP ranges - **Database access**: Connect to localhost databases (PostgreSQL, Redis, etc.) - **Authentication required**: Yes (authenticated user), but any workspace member can create workflows

PostgreSQL SSRF Microsoft Redis
NVD GitHub VulDB
CVSS 4.0
6.4
EPSS
0.0%
CVE-2026-30778 Maven HIGH PATCH GHSA This Week

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue.

Apache Information Disclosure PostgreSQL
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-40887 npm CRITICAL POC PATCH GHSA Act Now

{ctx.languageCode}' THEN 2 WHEN '${ctx.channel.defaultLanguageCode}' THEN 1 ELSE 0 END`, 'sort_order', ) ``` TypeORM has no opportunity to parameterize this value because it is embedded directly into the SQL string before being passed to the query builder. The `languageCode` value can originate from the HTTP query string and is set on the request context for every incoming API request. The value is cast to the `LanguageCode` TypeScript type at compile time, but no runtime validation is performed -- the raw query string value is used as-is. An unauthenticated attacker can append a crafted `languageCode` query parameter to any Shop API request to inject arbitrary SQL into the query. No user interaction is required. The vulnerable endpoint is exposed on every default Vendure installation. **Upgrade to a patched version immediately.** If you cannot upgrade right away, apply the following hotfix to `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query: ```ts private getLanguageCode(req: Request, channel: Channel): LanguageCode | undefined { const queryLanguageCode = req.query?.languageCode as string | undefined; const isValidFormat = queryLanguageCode && /^[a-zA-Z0-9_-]+$/.test(queryLanguageCode); return ( (isValidFormat ? (queryLanguageCode as LanguageCode) : undefined) ?? channel.defaultLanguageCode ?? this.configService.defaultLanguageCode ); } ``` This replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.

SQLi PostgreSQL
NVD GitHub
CVSS 3.1
9.1
EPSS
4.6%
CVE-2026-39842 Maven CRITICAL PATCH GHSA Act Now

Remote code execution as root in OpenRemote IoT platform's rules engine (versions prior to 1.20.3) allows authenticated non-superuser attackers with write:rules role to execute arbitrary Java code via unsandboxed JavaScript rulesets. The vulnerability stems from Nashorn ScriptEngine.eval() executing user-supplied JavaScript without ClassFilter restrictions, enabling Java.type() access to any JVM class including java.lang.Runtime. Attackers can compromise the entire multi-tenant platform, steal c

Information Disclosure RCE Apple Docker Deserialization +5
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-40258 PyPI CRITICAL PATCH GHSA Act Now

Path traversal (Zip Slip) in gramps-web-api media archive import allows authenticated owner-privileged users to write arbitrary files outside intended directories via malicious ZIP archives. Exploitation requires owner-level access and enables cross-tree data corruption in multi-tree SQLite deployments or config file overwrite in volume-mounted configurations. Postgres+S3 deployments limit impact to ephemeral container storage. No public exploit identified at time of analysis.

PostgreSQL Python Path Traversal Docker
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-34977 CRITICAL PATCH Act Now

Unauthenticated remote code execution (RCE) at root level in Aperi'Solve <3.2.1 allows attackers to execute arbitrary commands via unsanitized password input in JPEG upload functionality. Attack requires no authentication (PR:N) and low complexity (AC:L), with CVSS 9.3 critical severity. Publicly available exploit code exists via GitHub advisory. Attackers gain full container compromise with potential pivot to PostgreSQL/Redis databases and, in misconfigured deployments with Docker socket mounts, possible host system takeover. EPSS data not provided, but given unauthenticated network-based vector and public disclosure with fix details, exploitation risk is substantial for exposed instances.

Docker Command Injection Redis PostgreSQL Aperisolve
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-34612 CRITICAL Act Now

SQL injection in Kestra orchestration platform's flow search endpoint (GET /api/v1/main/flows/search) enables remote code execution on the underlying PostgreSQL host. Authenticated users can trigger the vulnerability by visiting a malicious link, exploiting PostgreSQL's COPY TO PROGRAM feature to execute arbitrary OS commands on the Docker container host. Affects Kestra versions prior to 1.3.7 in default docker-compose deployments. With CVSS 9.9 (Critical) and low attack complexity requiring only low-privilege authentication, this represents a severe risk for container escape and host compromise scenarios.

Docker SQLi PostgreSQL RCE
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-34950 npm CRITICAL PATCH GHSA Act Now

JWT algorithm confusion in fast-jwt npm package allows remote attackers to forge authentication tokens with arbitrary claims by exploiting incomplete CVE-2023-48223 remediation. The vulnerability (CVSS 9.1 Critical) affects applications using RS256 with public keys containing leading whitespace-a common scenario in database-stored keys, YAML configurations, and environment variables. Attackers possessing the RSA public key (inherently public information) can craft HS256 tokens accepted as valid

RCE Python PostgreSQL
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-34825 npm HIGH PATCH GHSA This Week

{{$context.data.fieldName}}) directly into raw SQL statements, enabling attackers to break out of string literals and inject malicious SQL commands. Publicly available exploit code exists demonstrating UNION-based injection to extract database credentials and system information. With default Docker deployments granting superuser database privileges, attackers gain full read/write access to the database including credential extraction, data modification, and table deletion capabilities.

SQLi Docker Debian PostgreSQL
NVD GitHub
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-34725 npm HIGH PATCH GHSA This Week

Stored XSS in DbGate npm package escalates to remote code execution in Electron desktop app via unsanitized SVG icon rendering. Attackers who inject malicious SVG payloads into application definition files can execute arbitrary JavaScript when victims view matching database entries. In the Electron desktop client, insecure configuration (nodeIntegration: true, contextIsolation: false) allows XSS payloads to invoke Node.js APIs, enabling local code execution including file system access. Web depl

XSS RCE PostgreSQL
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-34455 HIGH PATCH This Week

SQL injection in Hi.Events open-source event management platform (versions 0.8.0-beta.1 through 1.7.0-beta) allows remote unauthenticated attackers to execute arbitrary SQL queries via unsanitized sort_by parameters passed to Eloquent's orderBy() method. The PostgreSQL backend supports stacked queries, enabling multi-statement injection. While CVSS 8.7 reflects high confidentiality impact and no authentication requirement, no public exploit code or CISA KEV listing exists at time of analysis. Vendor-released patch available in version 1.7.1-beta.

SQLi PostgreSQL
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-34400 PyPI MEDIUM PATCH GHSA This Month

SQL injection in Alerta's Query string search API (q= parameter) allows unauthenticated remote attackers to execute arbitrary SQL commands against the underlying PostgreSQL database. The vulnerability stems from unsafe f-string interpolation of user-supplied search terms directly into SQL WHERE clauses without parameterization. Alerta versions prior to 9.1.0 are affected; the vulnerability has been patched in version 9.1.0 with no public exploit code identified at time of analysis.

PostgreSQL SQLi
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-29953 HIGH This Week

SQL injection in SchemaHero 0.23.0 allows remote attackers to execute arbitrary SQL commands through the column parameter in the columnAsInsert function within the PostgreSQL plugin, potentially compromising database integrity and confidentiality. Public exploit documentation is available, indicating proof-of-concept code exists. CVSS and EPSS data are unavailable, limiting formal severity quantification.

SQLi PostgreSQL
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-32286 Go HIGH PATCH GHSA This Week

DataRow.Decode in github.com/jackc/pgproto3/v2 fails to validate field length parameters, allowing a malicious or compromised PostgreSQL server to send a DataRow message with a negative field length that triggers a slice bounds out of range panic in Go applications using this library. Affected applications experience denial of service through unexpected termination when connecting to an untrusted or compromised database server. No public exploit code or active exploitation has been confirmed; however, the attack requires only network access to a PostgreSQL endpoint that the vulnerable application connects to.

PostgreSQL Information Disclosure Github Com Jackc Pgproto3 V2
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33713 npm HIGH POC PATCH This Week

SQL injection in n8n's Data Table Get node allows authenticated users with workflow modification permissions to execute arbitrary SQL queries against PostgreSQL backends, enabling data modification and deletion. Public exploit code exists for this vulnerability. Affected versions prior to 1.123.26, 2.13.3, and 2.14.1 should be upgraded immediately, or workflow creation/editing permissions should be restricted to trusted users only.

SQLi PostgreSQL
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33663 npm HIGH POC PATCH This Week

n8n workflow automation platform Community Edition contains an authorization bypass vulnerability allowing authenticated users with member-level privileges to steal plaintext credentials from other users. The flaw chains name-based credential resolution that doesn't enforce ownership with a permissions bypass affecting generic HTTP credential types (httpBasicAuth, httpHeaderAuth, httpQueryAuth). Attackers can decrypt and exfiltrate credentials without authorization, though native integration credentials remain unaffected.

Authentication Bypass PostgreSQL
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-33539 npm HIGH PATCH This Week

Parse Server versions prior to 8.6.59 and 9.6.0-alpha.53 contain a SQL injection vulnerability in PostgreSQL aggregate operations that allows attackers with master key access to execute arbitrary SQL statements, escalating from application-level administrator privileges to database-level access. Only PostgreSQL-backed Parse Server deployments are affected; MongoDB deployments are not vulnerable. No CVSS score or EPSS data is currently available, and no KEV or active exploitation reports have been confirmed at this time.

Privilege Escalation Node.js PostgreSQL SQLi
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-33442 npm HIGH PATCH This Week

SQL injection in PostgreSQL via unsafe backslash handling in Kysely's query compiler allows unauthenticated remote attackers to execute arbitrary SQL commands by injecting backslashes into JSON path string literals that bypass quote escaping. The vulnerability affects systems using the default BACKSLASH_ESCAPES SQL mode, where attackers can break out of sanitized JSON path expressions through specially crafted input. No patch is currently available.

SQLi PostgreSQL
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-32950 HIGH PATCH This Week

SQLBot, an intelligent data query system based on large language models and RAG, contains a critical SQL injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that allows authenticated users with minimal privileges to achieve remote code execution on the backend server. SQLBot versions prior to 1.7.0 are affected, and attackers can exploit unsafe concatenation of Excel sheet names into PostgreSQL table names and COPY statements to inject malicious SQL commands. The vulnerability enables arbitrary command execution as the postgres user, database takeover, and sensitive file exfiltration including /etc/passwd and /etc/shadow.

SQLi RCE PostgreSQL Command Injection
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-32622 HIGH PATCH This Week

Remote code execution in SQLBot 1.5.0 and below allows authenticated users to inject malicious prompts through unsanitized terminology uploads, enabling attackers to manipulate the LLM into generating arbitrary PostgreSQL commands executed with database privileges. The vulnerability stems from missing permission checks on the Excel upload API combined with inadequate semantic isolation when injecting user-controlled data into the system prompt. An attacker can exploit this to achieve code execution on the database or application server running as the postgres user.

Authentication Bypass RCE PostgreSQL
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-4427 Go HIGH PATCH GHSA This Week

PostgreSQL client applications using the pgproto3 Go library (github.com/jackc/pgproto3/v2) can be crashed remotely by malicious or compromised PostgreSQL servers sending specially crafted DataRow messages with negative field lengths, triggering slice bounds panics that result in denial of service. The vulnerability requires no authentication and has low attack complexity (CVSS:3.1/AV:N/AC:L/PR:N/UI:N), though the EPSS score of 0.07% (20th percentile) suggests minimal observed exploitation activity. Multiple detailed technical advisories exist including analysis from Security Infinity, and the issue is tracked in GitHub issue #2507 for the pgx project.

PostgreSQL Denial Of Service Buffer Overflow Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-33142 npm HIGH PATCH This Week

SQL injection in PostgreSQL StatementGenerator allows authenticated attackers to execute arbitrary SQL commands through unsanitized object keys in sort, select, and groupBy parameters on analytics endpoints. The vulnerability exists because column name validation was incompletely applied during a previous fix, leaving three query construction methods vulnerable to direct identifier injection. An attacker with valid credentials can exploit this to access or manipulate database contents without requiring user interaction.

PostgreSQL SQLi
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-32763 npm HIGH PATCH This Week

Kysely through version 0.28.11 contains a SQL injection vulnerability in JSON path compilation affecting MySQL and SQLite dialects. The visitJSONPathLeg() function appends user-controlled values from .key() and .at() methods directly into single-quoted JSON path string literals without escaping single quotes, enabling attackers to break out of the string context and inject arbitrary SQL. A working proof-of-concept demonstrates UNION-based data exfiltration from SQLite databases. The vulnerability has CVSS score 8.2 and patches are available from the vendor.

SQLi PostgreSQL
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-32747 Go MEDIUM PATCH This Month

Administrative users of Docker and PostgreSQL deployments can exploit an incomplete path validation in the `POST /api/file/globalCopyFiles` endpoint to copy sensitive files like container environment variables and Docker secrets from restricted locations (`/proc/`, `/run/secrets/`) into the workspace, where they become readable via standard file APIs. The vulnerability stems from reliance on a blocklist-based validation mechanism that fails to prevent access to these critical system paths. Since no patch is currently available, organizations should restrict administrative access to the affected API endpoint until an update is released.

Docker PostgreSQL Path Traversal Suse
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-4191 MEDIUM POC This Month

A critical unrestricted file upload vulnerability exists in the Profile Picture Handler component of JawherKl's node-api-postgres library (versions up to 2.5), where improper validation in the path.extname function of index.js allows attackers to upload malicious files remotely without authentication. A proof-of-concept exploit is publicly available, making this vulnerability actively exploitable, though it is not currently listed in CISA's KEV catalog and no EPSS score is provided.

File Upload PostgreSQL
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4190 MEDIUM POC This Month

SQL injection in the User.getAll function of node-api-postgres up to version 2.5 allows remote attackers to manipulate the sort parameter and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification. Affected deployments using PostgreSQL with the vulnerable Node.js API library face risks of unauthorized data access, modification, and potential service disruption.

SQLi PostgreSQL
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-32628 HIGH This Week

SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands against connected PostgreSQL, MySQL, and MSSQL databases through the built-in SQL Agent plugin. The vulnerability stems from unsafe string concatenation of table names in the getTableSchemaSql() method across all three database connectors, bypassing proper parameterization. Any user with access to invoke the SQL Agent can exploit this to read, modify, or delete sensitive database contents.

SQLi PostgreSQL MySQL MSSQL Information Disclosure +2
NVD GitHub
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-32248 npm CRITICAL POC PATCH Act Now

Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.

Information Disclosure Node.js PostgreSQL Parse Server
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-21708 CRITICAL Act Now

Veeam Backup & Replication allows a user with the Backup Viewer role (read-only) to escalate to remote code execution as the postgres database user. A read-only role achieving RCE represents a severe privilege escalation with scope change.

PostgreSQL RCE SQLi
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-32234 npm MEDIUM PATCH This Month

An attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a `$regex` query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level. This vulnerability only affects Parse Server deployments using PostgreSQL. The fix applies proper SQL identifier escaping to field names in the query handler and hardens query field name validation to reject malicious field names for all query types. There is no known workaround. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.36

Node.js PostgreSQL SQLi Parse Server
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-31872 npm HIGH PATCH This Week

Parse Server versions prior to 9.6.0-alpha.6 and 8.6.32 allow attackers to bypass class-level permission restrictions on protected fields by using dot-notation in query and sort parameters, enabling enumeration of sensitive field values through binary oracle attacks. This affects both MongoDB and PostgreSQL deployments and requires no authentication or user interaction. No patch is currently available for affected versions.

Node.js PostgreSQL Authentication Bypass Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31871 npm CRITICAL PATCH Act Now

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31. Third Parse Server SQLi.

Node.js PostgreSQL SQLi Parse Server
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31856 npm CRITICAL PATCH Act Now

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31.

Node.js PostgreSQL SQLi Parse Server
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31840 npm CRITICAL PATCH Act Now

SQL injection in Parse Server before 9.6.0-alpha.2/8.6.28.

Node.js PostgreSQL SQLi Parse Server
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-13957 CISA This Week

CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause information disclosure and remote code execution when SOCKS Proxy is enabled, and administrator credentials and PostgreSQL database credentials are known. SOCKS Proxy is disabled by default.

PostgreSQL RCE Information Disclosure
NVD
EPSS
0.3%
CVE-2026-25041 npm HIGH PATCH This Week

Command injection in Budibase 3.23.22 and earlier allows authenticated attackers with high privileges to execute arbitrary system commands by injecting malicious values into PostgreSQL connection parameters that are unsanitized in shell command construction. An attacker with administrative access can exploit this vulnerability to gain complete control over the underlying server hosting the Budibase instance. No patch is currently available for this vulnerability.

PostgreSQL Command Injection Budibase
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-30860 Go CRITICAL POC PATCH Act Now

SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.

PostgreSQL RCE SQLi AI / ML Weknora +1
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-29089 HIGH This Week

Arbitrary code execution in TimescaleDB 2.23.0 through 2.25.1 allows local authenticated users to execute malicious functions by shadowing built-in PostgreSQL functions through user-writable schemas in the search_path setting during extension upgrades. An attacker with database access can create malicious functions in writable schemas that are invoked instead of legitimate PostgreSQL functions, resulting in code execution with database privileges. No patch is currently available for affected installations.

PostgreSQL RCE Timescaledb Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-27005 CRITICAL POC Act Now

SQL injection in Chartbrew before 4.8.3. PoC available.

MySQL PostgreSQL Chartbrew
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-26932 MEDIUM This Month

Packetbeat's PostgreSQL protocol parser improperly validates array indices, allowing authenticated attackers on the same network to crash the monitoring service by sending malicious packets. An attacker exploiting this denial-of-service vulnerability can terminate the Packetbeat process, disrupting monitoring capabilities on systems with PostgreSQL protocol monitoring enabled. No patch is currently available.

Golang PostgreSQL Denial Of Service Packetbeat
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-23984 PyPI MEDIUM PATCH This Month

Authenticated users in Apache Superset versions before 6.0.0 can execute write operations against PostgreSQL databases configured as read-only by crafting specially formatted SQL statements that evade validation checks. This allows an attacker with SQLLab access to perform unauthorized data modifications despite read-only protections being in place. No patch is currently available for affected versions.

Apache PostgreSQL Superset
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23969 PyPI MEDIUM PATCH This Month

Insufficient SQL function restrictions in Apache Superset before 4.1.2 allow authenticated users to execute sensitive database functions on ClickHouse engines that should have been blocked. An attacker with database access could leverage the incomplete DISALLOWED_SQL_FUNCTIONS list to bypass security controls and potentially extract or manipulate data. No patch is currently available for affected versions of Apache Superset, PostgreSQL, and related deployments.

Apache PostgreSQL Superset
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67305 CRITICAL Act Now

Hardcoded SSH keys in Ruckus Network Director OVA < 4.5.0.56 for postgres user. Same across all appliances.

PostgreSQL Privilege Escalation
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-67304 CRITICAL Act Now

Hardcoded PostgreSQL credentials in Ruckus Network Director OVA < 4.5.0.54.

PostgreSQL Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-25949 Go HIGH PATCH GHSA This Week

Denial of service in Traefik versions prior to 3.6.8 allows unauthenticated remote attackers to exhaust connection resources by exploiting improper timeout handling in STARTTLS request processing. An attacker can send a PostgreSQL SSLRequest prelude and then stall the connection indefinitely, bypassing the readTimeout protection and accumulating open connections until service availability is degraded. A patch is available in version 3.6.8.

PostgreSQL Denial Of Service Traefik
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-2007 HIGH PATCH This Week

Heap buffer overflow in the pg_trgm extension of PostgreSQL 18.0 and 18.1 allows authenticated database users to trigger memory corruption through specially crafted input strings. An attacker with database access could potentially achieve privilege escalation or cause service disruption, though exploit complexity is currently limited by restricted control over written data. No patch is currently available.

PostgreSQL Buffer Overflow Privilege Escalation Heap Overflow
NVD VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-2006 HIGH PATCH This Week

Arbitrary code execution in PostgreSQL results from insufficient validation of multibyte character lengths in text manipulation functions, allowing authenticated database users to trigger buffer overflows and execute commands with database process privileges. Affected versions include PostgreSQL 14.x before 14.21, 15.x before 15.16, 16.x before 16.12, 17.x before 17.8, and all versions before 18.2. No patch is currently available, leaving databases vulnerable to privilege escalation attacks from database-level users.

PostgreSQL RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-2005 HIGH PATCH This Week

Arbitrary code execution in PostgreSQL pgcrypto module (versions before 14.21, 15.16, 16.12, 17.8, and 18.2) stems from a heap buffer overflow that allows attackers with database access to execute commands with the privileges of the PostgreSQL system user. An authenticated attacker can exploit this vulnerability by providing specially crafted ciphertext to trigger the overflow condition. No patch is currently available, leaving affected PostgreSQL installations vulnerable to privilege escalation and full system compromise.

PostgreSQL Buffer Overflow Heap Overflow RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-2004 HIGH PATCH This Week

PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21 contain insufficient input validation in the intarray extension's selectivity estimator function, enabling authenticated users with object creation privileges to execute arbitrary code with database server privileges. The vulnerability requires valid database credentials but allows complete system compromise through code execution at the OS level. No patch is currently available for affected deployments.

PostgreSQL RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-2003 MEDIUM PATCH This Month

Improper validation of the "oidvector" type in PostgreSQL allows authenticated database users to read small amounts of server memory, potentially exposing sensitive data. This vulnerability affects PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21, with no patch currently available for impacted systems.

PostgreSQL Red Hat Suse
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-26010 Maven HIGH POC PATCH This Week

OpenMetadata versions prior to 1.11.8 expose JWT tokens for the privileged ingestion-bot account through the /api/v1/ingestionPipelines API endpoint, allowing any read-only user to escalate privileges and impersonate a highly privileged service account. With public exploit code available and no patch currently deployed on most instances, attackers can perform destructive actions within OpenMetadata and access sensitive metadata that should be restricted by role-based policies. This vulnerability affects OpenMetadata deployments and related systems like PostgreSQL that depend on its authentication tokens.

PostgreSQL Openmetadata
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-2361 HIGH This Week

Privilege escalation in PostgreSQL Anonymizer allows authenticated users with CREATE privileges to gain superuser access by exploiting unsafe function execution within temporary views. This vulnerability affects PostgreSQL 15 and later, with heightened risk on PostgreSQL 14 instances due to default public schema permissions, and impacts all users unable to upgrade to version 3.0.1 or later. No patch is currently available for affected deployments.

PostgreSQL
NVD
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-2360 HIGH This Week

PostgreSQL Anonymizer allows authenticated users to escalate to superuser privileges by injecting malicious code into custom operators placed in the public schema, which execute with elevated privileges during extension creation. This vulnerability primarily affects PostgreSQL 14 and instances upgraded from earlier versions, as PostgreSQL 15+ restricts public schema creation permissions by default. A patch is available in PostgreSQL Anonymizer version 3.0.1 and later.

PostgreSQL
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-25574 npm MEDIUM PATCH This Month

Cross-collection IDOR in Payload CMS before v3.74.0 allows authenticated users to read and delete preferences from other authentication collections when numeric user IDs overlap in PostgreSQL or SQLite deployments. This vulnerability affects multi-auth environments where default auto-increment IDs create collisions across separate user collections. An attacker with valid credentials in one authentication domain can access and manipulate sensitive preference data belonging to users in different authentication domains.

PostgreSQL SQLi Payload
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-69662 PyPI HIGH POC PATCH GHSA This Week

SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database. [CVSS 8.6 HIGH]

PostgreSQL SQLi pandas
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2025-69285 MEDIUM POC This Month

SQLBot is an intelligent data query system based on a large language model and RAG. [CVSS 6.1 MEDIUM]

PostgreSQL AI / ML Sqlbot
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2021-47748 CRITICAL POC Act Now

Hasura GraphQL 1.3.3 has a remote code execution vulnerability allowing attackers to execute arbitrary shell commands through the GraphQL endpoint.

PostgreSQL RCE Graphql Engine
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-23838 Monitor

Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes, specifically using SQLite and default `MEDIA_ROOT`, the full database file may be externally accessible, potentially on the Internet. The root cause is that the NixOS module configures the working directory of Tandoor Recipes, as well as the value of `MEDIA_ROOT`, to be `/var/lib/tandoor-recipes`....

Nginx PostgreSQL SQLi
NVD GitHub
EPSS
0.1%
CVE-2021-47782 HIGH POC This Week

Odine Solutions GateKeeper 1.0 contains a SQL injection vulnerability in the trafficCycle API endpoint that allows remote attackers to inject malicious database queries. [CVSS 8.2 HIGH]

PostgreSQL SQLi
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-59470 CRITICAL Act Now

Veeam allows Backup Operators to execute code as postgres via malicious interval or order parameters. Another operator-to-RCE escalation path with scope change.

PostgreSQL RCE
NVD
CVSS 3.1
9.0
EPSS
0.2%
CVE-2025-59468 CRITICAL Act Now

Veeam allows Backup Administrators to execute code as postgres via a malicious password parameter. Scope change means OS-level compromise from application-level admin access.

PostgreSQL RCE
NVD
CVSS 3.1
9.0
EPSS
0.1%
CVE-2025-66211 HIGH POC This Week

An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451 and enables full remote code execution through unsanitized PostgreSQL init script filenames passed to shell commands. A public proof-of-concept exploit is available, and while not currently in CISA KEV, the vulnerability has a moderate EPSS score of 0.41% indicating some exploitation probability.

Command Injection PostgreSQL RCE Privilege Escalation Docker +1
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-56157 CRITICAL POC Act Now

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 allow anyone who can reach the database port to authenticate with full read/write access to the backend datastore. Publicly available exploit code exists, though EPSS remains low (0.81%) and the vendor states the database port is not network-exposed by default in 1.0.1 and later, limiting realistic reach. There is no public exploit identified as actively used in the wild (not in CISA KEV).

Authentication Bypass PostgreSQL Docker Dify
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2025-13372 PyPI MEDIUM PATCH This Month

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

SQLi PostgreSQL Python Ubuntu Debian +3
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-66260 HIGH POC This Week

PostgreSQL SQL Injection (status_sql.php) in DB Electronica Telecomunicazioni S.p.A. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP PostgreSQL Mozart Next 100 Firmware Mozart Next 1000 Firmware +20
NVD
CVSS 4.0
7.2
EPSS
0.0%
CVE-2025-10703 HIGH This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Docker Oracle Apache Google SAP +5
NVD
CVSS 4.0
8.6
EPSS
0.4%
CVE-2025-10702 HIGH This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Docker Oracle Apache Google SAP +4
NVD
CVSS 4.0
8.6
EPSS
0.4%
CVE-2025-12818 MEDIUM POC PATCH This Month

Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Integer Overflow Buffer Overflow PostgreSQL Red Hat Suse
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-12817 LOW Monitor

Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service PostgreSQL Authentication Bypass
NVD
CVSS 3.1
3.1
EPSS
0.1%
CVE-2025-12967 PyPI HIGH PATCH This Week

An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PostgreSQL Python Privilege Escalation
NVD GitHub
CVSS 4.0
8.6
EPSS
0.2%
CVE-2025-60785 HIGH POC This Week

A remote code execution (RCE) vulnerability in the Postgres Drivers component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PostgreSQL Code Injection Icescrum
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-34227 HIGH POC This Week

Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PostgreSQL Nagios Xi
NVD
CVSS 4.0
8.6
EPSS
2.2%
CVE-2025-59333 npm HIGH POC This Week

The mcp-database-server (MCP Server) 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server, fails to implement adequate security controls to properly enforce a. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Denial Of Service PostgreSQL Node.js Mcp Database Server
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-10226 CRITICAL This Week

Dependency on Vulnerable Third-Party Component (CWE-1395) in the PostgreSQL backend in AxxonSoft Axxon One (C-Werk) 2.0.8 and earlier on Windows and Linux allows a remote attacker to escalate. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PostgreSQL Microsoft RCE Axxon One Windows
NVD
CVSS 4.0
9.3
EPSS
0.4%
CVE-2025-58450 Go CRITICAL PATCH This Week

pREST (PostgreSQL REST), is an API that delivers an application on top of a Postgres database. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PostgreSQL SQLi Suse
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-58061 MEDIUM This Month

OpenEBS Local PV RawFile allows dynamic deployment of Stateful Persistent Node-Local Volumes & Filesystems for Kubernetes. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Kubernetes PostgreSQL Information Disclosure
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-50979 npm HIGH POC This Week

NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PostgreSQL SQLi Nodebb
NVD GitHub
CVSS 3.1
8.6
EPSS
0.2%
CVE-2025-55283 CRITICAL PATCH This Week

aiven-db-migrate is an Aiven database migration tool. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection PostgreSQL Privilege Escalation Aiven Db Migrate
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-55282 CRITICAL PATCH This Week

aiven-db-migrate is an Aiven database migration tool. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Privilege Escalation PostgreSQL Path Traversal Aiven Db Migrate
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-8715 HIGH PATCH This Month

Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE PostgreSQL SQLi Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-8714 HIGH PATCH This Month

Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE PostgreSQL Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-8713 LOW Monitor

PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

PostgreSQL Information Disclosure
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-1735 MEDIUM PATCH This Month

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.

PHP PostgreSQL SQLi Debian Red Hat +1
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-1709 MEDIUM This Month

CVE-2025-1709 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Information Disclosure PostgreSQL Meac300 Fnade4 Firmware
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-1708 HIGH This Week

The application is vulnerable to SQL injection attacks. An attacker is able to dump the PostgreSQL database and read its content.

PostgreSQL SQLi Meac300 Fnade4 Firmware
NVD
CVSS 3.1
8.6
EPSS
0.1%
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

SQL injection in Jellystat versions prior to 1.1.10 escalates to remote code execution on the PostgreSQL database host. Authenticated attackers can inject arbitrary SQL via multiple API endpoints (`/api/getUserDetails`, `/api/getLibrary`), initially exfiltrating sensitive credentials from the `app_config` table (including Jellystat admin credentials and Jellyfin API keys). Because the application uses node-postgres simple query protocol allowing stacked queries, attackers can leverage PostgreSQL's `COPY ... TO PROGRAM` to achieve command execution on the database server. The project's default docker-compose.yml deploys PostgreSQL with superuser privileges, removing any privilege barriers to RCE. Vendor patch released in version 1.1.10 (GitHub commit 735fe7c confirmed). No active exploitation confirmed by CISA KEV, but publicly available exploit code exists given the detailed technical disclosure in GitHub Security Advisory GHSA-fj7c-2p5q-g56m.

Docker SQLi PostgreSQL
NVD GitHub
EPSS 4% CVSS 7.5
HIGH POC PATCH This Week

SQL injection in NocoBase's @nocobase/database package allows authenticated users with record-creation privileges to execute arbitrary SQL queries and extract database credentials. The vulnerability exists in the queryParentSQL() function, which constructs recursive Common Table Expression (CTE) queries using string concatenation instead of parameterized queries when processing tree collections with string primary keys. An attacker can inject malicious SQL by creating records with crafted primary key values, triggering the vulnerability when recursive eager loading occurs. Successful exploitation leads to full database compromise, with confirmed extraction of administrator credentials (emails and password hashes) in testing against PostgreSQL. On databases where the service account has elevated privileges, attackers can achieve operating system command execution via PostgreSQL's COPY...TO PROGRAM feature. Vendor patch available via GitHub PR #9133.

Command Injection Debian SQLi +1
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

SQL injection in NocoBase plugin-collection-sql allows authenticated users with collection management permissions to bypass validation controls and execute arbitrary SQL queries. The checkSQL() function blocks dangerous keywords on collection creation and execution but is completely absent from the update endpoint, enabling attackers to create benign SQL collections then modify them with malicious queries to exfiltrate sensitive data including user credentials. Vendor patch available via GitHub PR #9134 and commit 851aee5. CVSS 7.2 reflects high privileges required (PR:H), but real-world impact is severe for environments where collection managers are not fully trusted administrators.

SQLi PostgreSQL Privilege Escalation
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.

SQLi PostgreSQL Electric
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

OpenBao 2.5.2 and earlier fails to properly quote PostgreSQL schema names during role revocation in the PostgreSQL database secrets engine, allowing authenticated high-privilege administrators to execute arbitrary SQL injection as the database management user. The vulnerability affects the credentials management workflow when revoking database roles, potentially compromising database integrity. A vendor-released patch (version 2.5.3) is available.

PostgreSQL SQLi Hashicorp +2
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

{ url: trim(url), // User-controlled, no validation method, headers, params, timeout, ...(method.toLowerCase() !== 'get' && data != null ? { data: transformer ? await transformer(data) : data } : {}), }); ``` The `url` at line 98 comes directly from user workflow configuration with only whitespace trimming. **`packages/plugins/@nocobase/plugin-action-custom-request/src/server/actions/send.ts` lines 172-198:** ```typescript const axiosRequestConfig = { baseURL: ctx.origin, ...options, url: getParsedValue(url, variables), // User-controlled via template headers: { ... }, params: getParsedValue(arrayToObject(params), variables), data: getParsedValue(toJSON(data), variables), }; const res = await axios(axiosRequestConfig); // No IP validation ``` - No `request-filtering-agent` or SSRF library (confirmed via grep across entire codebase) - No private IP range filtering - No cloud metadata endpoint blocking - No URL scheme validation - No DNS rebinding protection 1. Authenticated user creates a workflow with HTTP Request node 2. Sets URL to `http://169.254.169.254/latest/meta-data/iam/security-credentials/` 3. Triggers the workflow 4. Server fetches AWS metadata and returns IAM credentials in workflow execution logs Alternatively via Custom Request action: 1. Create custom request with URL `http://127.0.0.1:5432` or `http://10.0.0.1:8080/admin` 2. Execute the action 3. Server makes request to internal service - **Cloud metadata theft**: AWS/GCP/Azure credentials via metadata endpoints - **Internal network access**: Scan and interact with services on private IP ranges - **Database access**: Connect to localhost databases (PostgreSQL, Redis, etc.) - **Authentication required**: Yes (authenticated user), but any workspace member can create workflows

PostgreSQL SSRF Microsoft +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue.

Apache Information Disclosure PostgreSQL
NVD VulDB
EPSS 5% CVSS 9.1
CRITICAL POC PATCH Act Now

{ctx.languageCode}' THEN 2 WHEN '${ctx.channel.defaultLanguageCode}' THEN 1 ELSE 0 END`, 'sort_order', ) ``` TypeORM has no opportunity to parameterize this value because it is embedded directly into the SQL string before being passed to the query builder. The `languageCode` value can originate from the HTTP query string and is set on the request context for every incoming API request. The value is cast to the `LanguageCode` TypeScript type at compile time, but no runtime validation is performed -- the raw query string value is used as-is. An unauthenticated attacker can append a crafted `languageCode` query parameter to any Shop API request to inject arbitrary SQL into the query. No user interaction is required. The vulnerable endpoint is exposed on every default Vendure installation. **Upgrade to a patched version immediately.** If you cannot upgrade right away, apply the following hotfix to `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query: ```ts private getLanguageCode(req: Request, channel: Channel): LanguageCode | undefined { const queryLanguageCode = req.query?.languageCode as string | undefined; const isValidFormat = queryLanguageCode && /^[a-zA-Z0-9_-]+$/.test(queryLanguageCode); return ( (isValidFormat ? (queryLanguageCode as LanguageCode) : undefined) ?? channel.defaultLanguageCode ?? this.configService.defaultLanguageCode ); } ``` This replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.

SQLi PostgreSQL
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Remote code execution as root in OpenRemote IoT platform's rules engine (versions prior to 1.20.3) allows authenticated non-superuser attackers with write:rules role to execute arbitrary Java code via unsandboxed JavaScript rulesets. The vulnerability stems from Nashorn ScriptEngine.eval() executing user-supplied JavaScript without ClassFilter restrictions, enabling Java.type() access to any JVM class including java.lang.Runtime. Attackers can compromise the entire multi-tenant platform, steal c

Information Disclosure RCE Apple +7
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Path traversal (Zip Slip) in gramps-web-api media archive import allows authenticated owner-privileged users to write arbitrary files outside intended directories via malicious ZIP archives. Exploitation requires owner-level access and enables cross-tree data corruption in multi-tree SQLite deployments or config file overwrite in volume-mounted configurations. Postgres+S3 deployments limit impact to ephemeral container storage. No public exploit identified at time of analysis.

PostgreSQL Python Path Traversal +1
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Unauthenticated remote code execution (RCE) at root level in Aperi'Solve <3.2.1 allows attackers to execute arbitrary commands via unsanitized password input in JPEG upload functionality. Attack requires no authentication (PR:N) and low complexity (AC:L), with CVSS 9.3 critical severity. Publicly available exploit code exists via GitHub advisory. Attackers gain full container compromise with potential pivot to PostgreSQL/Redis databases and, in misconfigured deployments with Docker socket mounts, possible host system takeover. EPSS data not provided, but given unauthenticated network-based vector and public disclosure with fix details, exploitation risk is substantial for exposed instances.

Docker Command Injection Redis +2
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

SQL injection in Kestra orchestration platform's flow search endpoint (GET /api/v1/main/flows/search) enables remote code execution on the underlying PostgreSQL host. Authenticated users can trigger the vulnerability by visiting a malicious link, exploiting PostgreSQL's COPY TO PROGRAM feature to execute arbitrary OS commands on the Docker container host. Affects Kestra versions prior to 1.3.7 in default docker-compose deployments. With CVSS 9.9 (Critical) and low attack complexity requiring only low-privilege authentication, this represents a severe risk for container escape and host compromise scenarios.

Docker SQLi PostgreSQL +1
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

JWT algorithm confusion in fast-jwt npm package allows remote attackers to forge authentication tokens with arbitrary claims by exploiting incomplete CVE-2023-48223 remediation. The vulnerability (CVSS 9.1 Critical) affects applications using RS256 with public keys containing leading whitespace-a common scenario in database-stored keys, YAML configurations, and environment variables. Attackers possessing the RSA public key (inherently public information) can craft HS256 tokens accepted as valid

RCE Python PostgreSQL
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

{{$context.data.fieldName}}) directly into raw SQL statements, enabling attackers to break out of string literals and inject malicious SQL commands. Publicly available exploit code exists demonstrating UNION-based injection to extract database credentials and system information. With default Docker deployments granting superuser database privileges, attackers gain full read/write access to the database including credential extraction, data modification, and table deletion capabilities.

SQLi Docker Debian +1
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Stored XSS in DbGate npm package escalates to remote code execution in Electron desktop app via unsanitized SVG icon rendering. Attackers who inject malicious SVG payloads into application definition files can execute arbitrary JavaScript when victims view matching database entries. In the Electron desktop client, insecure configuration (nodeIntegration: true, contextIsolation: false) allows XSS payloads to invoke Node.js APIs, enabling local code execution including file system access. Web depl

XSS RCE PostgreSQL
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

SQL injection in Hi.Events open-source event management platform (versions 0.8.0-beta.1 through 1.7.0-beta) allows remote unauthenticated attackers to execute arbitrary SQL queries via unsanitized sort_by parameters passed to Eloquent's orderBy() method. The PostgreSQL backend supports stacked queries, enabling multi-statement injection. While CVSS 8.7 reflects high confidentiality impact and no authentication requirement, no public exploit code or CISA KEV listing exists at time of analysis. Vendor-released patch available in version 1.7.1-beta.

SQLi PostgreSQL
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

SQL injection in Alerta's Query string search API (q= parameter) allows unauthenticated remote attackers to execute arbitrary SQL commands against the underlying PostgreSQL database. The vulnerability stems from unsafe f-string interpolation of user-supplied search terms directly into SQL WHERE clauses without parameterization. Alerta versions prior to 9.1.0 are affected; the vulnerability has been patched in version 9.1.0 with no public exploit code identified at time of analysis.

PostgreSQL SQLi
NVD GitHub
EPSS 0% CVSS 7.4
HIGH This Week

SQL injection in SchemaHero 0.23.0 allows remote attackers to execute arbitrary SQL commands through the column parameter in the columnAsInsert function within the PostgreSQL plugin, potentially compromising database integrity and confidentiality. Public exploit documentation is available, indicating proof-of-concept code exists. CVSS and EPSS data are unavailable, limiting formal severity quantification.

SQLi PostgreSQL
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

DataRow.Decode in github.com/jackc/pgproto3/v2 fails to validate field length parameters, allowing a malicious or compromised PostgreSQL server to send a DataRow message with a negative field length that triggers a slice bounds out of range panic in Go applications using this library. Affected applications experience denial of service through unexpected termination when connecting to an untrusted or compromised database server. No public exploit code or active exploitation has been confirmed; however, the attack requires only network access to a PostgreSQL endpoint that the vulnerable application connects to.

PostgreSQL Information Disclosure Github Com Jackc Pgproto3 V2
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

SQL injection in n8n's Data Table Get node allows authenticated users with workflow modification permissions to execute arbitrary SQL queries against PostgreSQL backends, enabling data modification and deletion. Public exploit code exists for this vulnerability. Affected versions prior to 1.123.26, 2.13.3, and 2.14.1 should be upgraded immediately, or workflow creation/editing permissions should be restricted to trusted users only.

SQLi PostgreSQL
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH POC PATCH This Week

n8n workflow automation platform Community Edition contains an authorization bypass vulnerability allowing authenticated users with member-level privileges to steal plaintext credentials from other users. The flaw chains name-based credential resolution that doesn't enforce ownership with a permissions bypass affecting generic HTTP credential types (httpBasicAuth, httpHeaderAuth, httpQueryAuth). Attackers can decrypt and exfiltrate credentials without authorization, though native integration credentials remain unaffected.

Authentication Bypass PostgreSQL
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Parse Server versions prior to 8.6.59 and 9.6.0-alpha.53 contain a SQL injection vulnerability in PostgreSQL aggregate operations that allows attackers with master key access to execute arbitrary SQL statements, escalating from application-level administrator privileges to database-level access. Only PostgreSQL-backed Parse Server deployments are affected; MongoDB deployments are not vulnerable. No CVSS score or EPSS data is currently available, and no KEV or active exploitation reports have been confirmed at this time.

Privilege Escalation Node.js PostgreSQL +1
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

SQL injection in PostgreSQL via unsafe backslash handling in Kysely's query compiler allows unauthenticated remote attackers to execute arbitrary SQL commands by injecting backslashes into JSON path string literals that bypass quote escaping. The vulnerability affects systems using the default BACKSLASH_ESCAPES SQL mode, where attackers can break out of sanitized JSON path expressions through specially crafted input. No patch is currently available.

SQLi PostgreSQL
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQLBot, an intelligent data query system based on large language models and RAG, contains a critical SQL injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that allows authenticated users with minimal privileges to achieve remote code execution on the backend server. SQLBot versions prior to 1.7.0 are affected, and attackers can exploit unsafe concatenation of Excel sheet names into PostgreSQL table names and COPY statements to inject malicious SQL commands. The vulnerability enables arbitrary command execution as the postgres user, database takeover, and sensitive file exfiltration including /etc/passwd and /etc/shadow.

SQLi RCE PostgreSQL +1
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Remote code execution in SQLBot 1.5.0 and below allows authenticated users to inject malicious prompts through unsanitized terminology uploads, enabling attackers to manipulate the LLM into generating arbitrary PostgreSQL commands executed with database privileges. The vulnerability stems from missing permission checks on the Excel upload API combined with inadequate semantic isolation when injecting user-controlled data into the system prompt. An attacker can exploit this to achieve code execution on the database or application server running as the postgres user.

Authentication Bypass RCE PostgreSQL
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

PostgreSQL client applications using the pgproto3 Go library (github.com/jackc/pgproto3/v2) can be crashed remotely by malicious or compromised PostgreSQL servers sending specially crafted DataRow messages with negative field lengths, triggering slice bounds panics that result in denial of service. The vulnerability requires no authentication and has low attack complexity (CVSS:3.1/AV:N/AC:L/PR:N/UI:N), though the EPSS score of 0.07% (20th percentile) suggests minimal observed exploitation activity. Multiple detailed technical advisories exist including analysis from Security Infinity, and the issue is tracked in GitHub issue #2507 for the pgx project.

PostgreSQL Denial Of Service Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

SQL injection in PostgreSQL StatementGenerator allows authenticated attackers to execute arbitrary SQL commands through unsanitized object keys in sort, select, and groupBy parameters on analytics endpoints. The vulnerability exists because column name validation was incompletely applied during a previous fix, leaving three query construction methods vulnerable to direct identifier injection. An attacker with valid credentials can exploit this to access or manipulate database contents without requiring user interaction.

PostgreSQL SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Kysely through version 0.28.11 contains a SQL injection vulnerability in JSON path compilation affecting MySQL and SQLite dialects. The visitJSONPathLeg() function appends user-controlled values from .key() and .at() methods directly into single-quoted JSON path string literals without escaping single quotes, enabling attackers to break out of the string context and inject arbitrary SQL. A working proof-of-concept demonstrates UNION-based data exfiltration from SQLite databases. The vulnerability has CVSS score 8.2 and patches are available from the vendor.

SQLi PostgreSQL
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Administrative users of Docker and PostgreSQL deployments can exploit an incomplete path validation in the `POST /api/file/globalCopyFiles` endpoint to copy sensitive files like container environment variables and Docker secrets from restricted locations (`/proc/`, `/run/secrets/`) into the workspace, where they become readable via standard file APIs. The vulnerability stems from reliance on a blocklist-based validation mechanism that fails to prevent access to these critical system paths. Since no patch is currently available, organizations should restrict administrative access to the affected API endpoint until an update is released.

Docker PostgreSQL Path Traversal +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A critical unrestricted file upload vulnerability exists in the Profile Picture Handler component of JawherKl's node-api-postgres library (versions up to 2.5), where improper validation in the path.extname function of index.js allows attackers to upload malicious files remotely without authentication. A proof-of-concept exploit is publicly available, making this vulnerability actively exploitable, though it is not currently listed in CISA's KEV catalog and no EPSS score is provided.

File Upload PostgreSQL
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the User.getAll function of node-api-postgres up to version 2.5 allows remote attackers to manipulate the sort parameter and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification. Affected deployments using PostgreSQL with the vulnerable Node.js API library face risks of unauthorized data access, modification, and potential service disruption.

SQLi PostgreSQL
NVD VulDB
EPSS 0% CVSS 7.7
HIGH This Week

SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands against connected PostgreSQL, MySQL, and MSSQL databases through the built-in SQL Agent plugin. The vulnerability stems from unsafe string concatenation of table names in the getTableSchemaSql() method across all three database connectors, bypassing proper parameterization. Any user with access to invoke the SQL Agent can exploit this to read, modify, or delete sensitive database contents.

SQLi PostgreSQL MySQL +4
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.

Information Disclosure Node.js PostgreSQL +1
NVD GitHub VulDB
EPSS 1% CVSS 9.9
CRITICAL Act Now

Veeam Backup & Replication allows a user with the Backup Viewer role (read-only) to escalate to remote code execution as the postgres database user. A read-only role achieving RCE represents a severe privilege escalation with scope change.

PostgreSQL RCE SQLi
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

An attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a `$regex` query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level. This vulnerability only affects Parse Server deployments using PostgreSQL. The fix applies proper SQL identifier escaping to field names in the query handler and hardens query field name validation to reject malicious field names for all query types. There is no known workaround. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.36

Node.js PostgreSQL SQLi +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Parse Server versions prior to 9.6.0-alpha.6 and 8.6.32 allow attackers to bypass class-level permission restrictions on protected fields by using dot-notation in query and sort parameters, enabling enumeration of sensitive field values through binary oracle attacks. This affects both MongoDB and PostgreSQL deployments and requires no authentication or user interaction. No patch is currently available for affected versions.

Node.js PostgreSQL Authentication Bypass +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31. Third Parse Server SQLi.

Node.js PostgreSQL SQLi +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31.

Node.js PostgreSQL SQLi +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL injection in Parse Server before 9.6.0-alpha.2/8.6.28.

Node.js PostgreSQL SQLi +1
NVD GitHub VulDB
EPSS 0%
This Week

CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause information disclosure and remote code execution when SOCKS Proxy is enabled, and administrator credentials and PostgreSQL database credentials are known. SOCKS Proxy is disabled by default.

PostgreSQL RCE Information Disclosure
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Command injection in Budibase 3.23.22 and earlier allows authenticated attackers with high privileges to execute arbitrary system commands by injecting malicious values into PostgreSQL connection parameters that are unsanitized in shell command construction. An attacker with administrative access can exploit this vulnerability to gain complete control over the underlying server hosting the Budibase instance. No patch is currently available for this vulnerability.

PostgreSQL Command Injection Budibase
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.

PostgreSQL RCE SQLi +3
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary code execution in TimescaleDB 2.23.0 through 2.25.1 allows local authenticated users to execute malicious functions by shadowing built-in PostgreSQL functions through user-writable schemas in the search_path setting during extension upgrades. An attacker with database access can create malicious functions in writable schemas that are invoked instead of legitimate PostgreSQL functions, resulting in code execution with database privileges. No patch is currently available for affected installations.

PostgreSQL RCE Timescaledb +2
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SQL injection in Chartbrew before 4.8.3. PoC available.

MySQL PostgreSQL Chartbrew
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM This Month

Packetbeat's PostgreSQL protocol parser improperly validates array indices, allowing authenticated attackers on the same network to crash the monitoring service by sending malicious packets. An attacker exploiting this denial-of-service vulnerability can terminate the Packetbeat process, disrupting monitoring capabilities on systems with PostgreSQL protocol monitoring enabled. No patch is currently available.

Golang PostgreSQL Denial Of Service +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Authenticated users in Apache Superset versions before 6.0.0 can execute write operations against PostgreSQL databases configured as read-only by crafting specially formatted SQL statements that evade validation checks. This allows an attacker with SQLLab access to perform unauthorized data modifications despite read-only protections being in place. No patch is currently available for affected versions.

Apache PostgreSQL Superset
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient SQL function restrictions in Apache Superset before 4.1.2 allow authenticated users to execute sensitive database functions on ClickHouse engines that should have been blocked. An attacker with database access could leverage the incomplete DISALLOWED_SQL_FUNCTIONS list to bypass security controls and potentially extract or manipulate data. No patch is currently available for affected versions of Apache Superset, PostgreSQL, and related deployments.

Apache PostgreSQL Superset
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Hardcoded SSH keys in Ruckus Network Director OVA < 4.5.0.56 for postgres user. Same across all appliances.

PostgreSQL Privilege Escalation
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Hardcoded PostgreSQL credentials in Ruckus Network Director OVA < 4.5.0.54.

PostgreSQL Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Traefik versions prior to 3.6.8 allows unauthenticated remote attackers to exhaust connection resources by exploiting improper timeout handling in STARTTLS request processing. An attacker can send a PostgreSQL SSLRequest prelude and then stall the connection indefinitely, bypassing the readTimeout protection and accumulating open connections until service availability is degraded. A patch is available in version 3.6.8.

PostgreSQL Denial Of Service Traefik
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Heap buffer overflow in the pg_trgm extension of PostgreSQL 18.0 and 18.1 allows authenticated database users to trigger memory corruption through specially crafted input strings. An attacker with database access could potentially achieve privilege escalation or cause service disruption, though exploit complexity is currently limited by restricted control over written data. No patch is currently available.

PostgreSQL Buffer Overflow Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution in PostgreSQL results from insufficient validation of multibyte character lengths in text manipulation functions, allowing authenticated database users to trigger buffer overflows and execute commands with database process privileges. Affected versions include PostgreSQL 14.x before 14.21, 15.x before 15.16, 16.x before 16.12, 17.x before 17.8, and all versions before 18.2. No patch is currently available, leaving databases vulnerable to privilege escalation attacks from database-level users.

PostgreSQL RCE
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution in PostgreSQL pgcrypto module (versions before 14.21, 15.16, 16.12, 17.8, and 18.2) stems from a heap buffer overflow that allows attackers with database access to execute commands with the privileges of the PostgreSQL system user. An authenticated attacker can exploit this vulnerability by providing specially crafted ciphertext to trigger the overflow condition. No patch is currently available, leaving affected PostgreSQL installations vulnerable to privilege escalation and full system compromise.

PostgreSQL Buffer Overflow Heap Overflow +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21 contain insufficient input validation in the intarray extension's selectivity estimator function, enabling authenticated users with object creation privileges to execute arbitrary code with database server privileges. The vulnerability requires valid database credentials but allows complete system compromise through code execution at the OS level. No patch is currently available for affected deployments.

PostgreSQL RCE
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Improper validation of the "oidvector" type in PostgreSQL allows authenticated database users to read small amounts of server memory, potentially exposing sensitive data. This vulnerability affects PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21, with no patch currently available for impacted systems.

PostgreSQL Red Hat Suse
NVD
EPSS 0% CVSS 7.6
HIGH POC PATCH This Week

OpenMetadata versions prior to 1.11.8 expose JWT tokens for the privileged ingestion-bot account through the /api/v1/ingestionPipelines API endpoint, allowing any read-only user to escalate privileges and impersonate a highly privileged service account. With public exploit code available and no patch currently deployed on most instances, attackers can perform destructive actions within OpenMetadata and access sensitive metadata that should be restricted by role-based policies. This vulnerability affects OpenMetadata deployments and related systems like PostgreSQL that depend on its authentication tokens.

PostgreSQL Openmetadata
NVD GitHub
EPSS 0% CVSS 8.0
HIGH This Week

Privilege escalation in PostgreSQL Anonymizer allows authenticated users with CREATE privileges to gain superuser access by exploiting unsafe function execution within temporary views. This vulnerability affects PostgreSQL 15 and later, with heightened risk on PostgreSQL 14 instances due to default public schema permissions, and impacts all users unable to upgrade to version 3.0.1 or later. No patch is currently available for affected deployments.

PostgreSQL
NVD
EPSS 0% CVSS 8.0
HIGH This Week

PostgreSQL Anonymizer allows authenticated users to escalate to superuser privileges by injecting malicious code into custom operators placed in the public schema, which execute with elevated privileges during extension creation. This vulnerability primarily affects PostgreSQL 14 and instances upgraded from earlier versions, as PostgreSQL 15+ restricts public schema creation permissions by default. A patch is available in PostgreSQL Anonymizer version 3.0.1 and later.

PostgreSQL
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-collection IDOR in Payload CMS before v3.74.0 allows authenticated users to read and delete preferences from other authentication collections when numeric user IDs overlap in PostgreSQL or SQLite deployments. This vulnerability affects multi-auth environments where default auto-increment IDs create collisions across separate user collections. An attacker with valid credentials in one authentication domain can access and manipulate sensitive preference data belonging to users in different authentication domains.

PostgreSQL SQLi Payload
NVD GitHub
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database. [CVSS 8.6 HIGH]

PostgreSQL SQLi pandas
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

SQLBot is an intelligent data query system based on a large language model and RAG. [CVSS 6.1 MEDIUM]

PostgreSQL AI / ML Sqlbot
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Hasura GraphQL 1.3.3 has a remote code execution vulnerability allowing attackers to execute arbitrary shell commands through the GraphQL endpoint.

PostgreSQL RCE Graphql Engine
NVD GitHub Exploit-DB
EPSS 0%
Monitor

Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes, specifically using SQLite and default `MEDIA_ROOT`, the full database file may be externally accessible, potentially on the Internet. The root cause is that the NixOS module configures the working directory of Tandoor Recipes, as well as the value of `MEDIA_ROOT`, to be `/var/lib/tandoor-recipes`....

Nginx PostgreSQL SQLi
NVD GitHub
EPSS 0% CVSS 8.2
HIGH POC This Week

Odine Solutions GateKeeper 1.0 contains a SQL injection vulnerability in the trafficCycle API endpoint that allows remote attackers to inject malicious database queries. [CVSS 8.2 HIGH]

PostgreSQL SQLi
NVD Exploit-DB
EPSS 0% CVSS 9.0
CRITICAL Act Now

Veeam allows Backup Operators to execute code as postgres via malicious interval or order parameters. Another operator-to-RCE escalation path with scope change.

PostgreSQL RCE
NVD
EPSS 0% CVSS 9.0
CRITICAL Act Now

Veeam allows Backup Administrators to execute code as postgres via a malicious password parameter. Scope change means OS-level compromise from application-level admin access.

PostgreSQL RCE
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451 and enables full remote code execution through unsanitized PostgreSQL init script filenames passed to shell commands. A public proof-of-concept exploit is available, and while not currently in CISA KEV, the vulnerability has a moderate EPSS score of 0.41% indicating some exploitation probability.

Command Injection PostgreSQL RCE +3
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 allow anyone who can reach the database port to authenticate with full read/write access to the backend datastore. Publicly available exploit code exists, though EPSS remains low (0.81%) and the vendor states the database port is not network-exposed by default in 1.0.1 and later, limiting realistic reach. There is no public exploit identified as actively used in the wild (not in CISA KEV).

Authentication Bypass PostgreSQL Docker +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

SQLi PostgreSQL Python +5
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC This Week

PostgreSQL SQL Injection (status_sql.php) in DB Electronica Telecomunicazioni S.p.A. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP PostgreSQL +22
NVD
EPSS 0% CVSS 8.6
HIGH This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Docker Oracle Apache +7
NVD
EPSS 0% CVSS 8.6
HIGH This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Docker Oracle Apache +6
NVD
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Integer Overflow Buffer Overflow PostgreSQL +2
NVD GitHub
EPSS 0% CVSS 3.1
LOW Monitor

Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service PostgreSQL Authentication Bypass
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PostgreSQL Python Privilege Escalation
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

A remote code execution (RCE) vulnerability in the Postgres Drivers component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PostgreSQL Code Injection +1
NVD
EPSS 2% CVSS 8.6
HIGH POC This Week

Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PostgreSQL Nagios Xi
NVD
EPSS 0% CVSS 8.1
HIGH POC This Week

The mcp-database-server (MCP Server) 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server, fails to implement adequate security controls to properly enforce a. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Denial Of Service PostgreSQL +2
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL This Week

Dependency on Vulnerable Third-Party Component (CWE-1395) in the PostgreSQL backend in AxxonSoft Axxon One (C-Werk) 2.0.8 and earlier on Windows and Linux allows a remote attacker to escalate. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PostgreSQL Microsoft RCE +2
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH This Week

pREST (PostgreSQL REST), is an API that delivers an application on top of a Postgres database. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PostgreSQL SQLi Suse
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

OpenEBS Local PV RawFile allows dynamic deployment of Stateful Persistent Node-Local Volumes & Filesystems for Kubernetes. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Kubernetes PostgreSQL Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.6
HIGH POC This Week

NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PostgreSQL SQLi Nodebb
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH This Week

aiven-db-migrate is an Aiven database migration tool. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection PostgreSQL Privilege Escalation +1
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH This Week

aiven-db-migrate is an Aiven database migration tool. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Privilege Escalation PostgreSQL Path Traversal +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Month

Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE PostgreSQL SQLi +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Month

Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE PostgreSQL Red Hat +1
NVD
EPSS 0% CVSS 3.1
LOW Monitor

PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

PostgreSQL Information Disclosure
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.

PHP PostgreSQL SQLi +3
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

CVE-2025-1709 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Information Disclosure PostgreSQL Meac300 Fnade4 Firmware
NVD
EPSS 0% CVSS 8.6
HIGH This Week

The application is vulnerable to SQL injection attacks. An attacker is able to dump the PostgreSQL database and read its content.

PostgreSQL SQLi Meac300 Fnade4 Firmware
NVD
Prev Page 2 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy