Skip to main content

PostgreSQL

413 CVEs product

Monthly

CVE-2023-28630 MEDIUM PATCH This Month

GoCD is an open source continuous delivery server. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity.

Information Disclosure PostgreSQL Gocd
NVD GitHub
CVSS 3.1
4.4
EPSS
0.3%
CVE-2023-28424 CRITICAL PATCH Act Now

Soko if the code that powers packages.gentoo.org. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

RCE PostgreSQL SQLi Soko
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-4223 PyPI HIGH POC PATCH THREAT This Week

The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Microsoft Code Injection PostgreSQL Pgadmin 4 +1
NVD GitHub
CVSS 3.1
8.8
EPSS
79.9%
CVE-2022-46792 HIGH PATCH This Week

Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass PostgreSQL Graphql Engine
NVD GitHub
CVSS 3.1
8.8
EPSS
0.8%
CVE-2022-41946 Maven MEDIUM POC PATCH This Month

pgjdbc is an open source postgresql JDBC Driver. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Apple Java PostgreSQL Postgresql Jdbc Driver +1
NVD GitHub
CVSS 3.1
5.5
EPSS
0.5%
CVE-2022-3971 npm MEDIUM PATCH This Month

A vulnerability was found in matrix-appservice-irc up to 0.35.1. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required.

SQLi PostgreSQL Matrix Irc Bridge
NVD GitHub VulDB
CVSS 3.1
5.6
EPSS
0.5%
CVE-2022-34434 MEDIUM PATCH This Month

Cloud Mobility for Dell Storage versions 1.3.0 and earlier contains an Improper Access Control vulnerability within the Postgres database. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity.

Authentication Bypass Dell PostgreSQL Cloud Mobility For Dell Emc Storage
NVD
CVSS 3.1
6.7
EPSS
0.2%
CVE-2022-36076 npm HIGH POC PATCH This Week

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

PostgreSQL CSRF Redis Node.js Nodebb
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2022-1552 HIGH PATCH This Week

A flaw was found in PostgreSQL. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

PostgreSQL Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
12.4%
CVE-2022-36045 npm CRITICAL PATCH Act Now

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PostgreSQL Redis Information Disclosure Node.js Nodebb
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-2625 HIGH This Week

A vulnerability was found in PostgreSQL. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE PostgreSQL Fedora Enterprise Linux
NVD
CVSS 3.1
8.0
EPSS
1.5%
CVE-2022-35942 npm CRITICAL PATCH Act Now

Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PostgreSQL SQLi Loopback Connector Postgresql
NVD GitHub
CVSS 3.1
10.0
EPSS
0.5%
CVE-2022-31197 Maven HIGH POC PATCH This Week

PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PostgreSQL SQLi Java Postgresql Jdbc Driver Debian Linux +1
NVD GitHub
CVSS 3.1
8.0
EPSS
1.7%
CVE-2022-31625 HIGH POC This Week

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

PHP Denial Of Service PostgreSQL Debian Linux
NVD
CVSS 3.1
8.1
EPSS
3.4%
CVE-2022-31769 MEDIUM PATCH This Month

IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.15.0 could allow a remote attacker to view product configuration information stored in PostgreSQL, which could be used in further attacks against. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure IBM PostgreSQL Spectrum Copy Data Management
NVD
CVSS 3.1
5.3
EPSS
1.1%
CVE-2022-24844 HIGH POC PATCH This Week

Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi PostgreSQL Gin Vue Admin
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2022-24760 npm CRITICAL POC PATCH THREAT Act Now

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Ubuntu RCE Microsoft PostgreSQL Parse Server
NVD GitHub
CVSS 3.1
10.0
EPSS
49.1%
CVE-2022-25225 HIGH POC This Week

Network Olympus version 1.8.0 allows an authenticated admin user to inject SQL queries in '/api/eventinstance' via the 'sqlparameter' JSON parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE SQLi PostgreSQL Network Olympus
NVD
CVSS 3.1
7.2
EPSS
2.8%
CVE-2021-43038 HIGH POC This Week

An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation PostgreSQL Unitrends Backup
NVD
CVSS 3.1
8.8
EPSS
2.2%
CVE-2021-43036 CRITICAL POC Act Now

An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PostgreSQL Brute Force Unitrends Backup
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2021-43035 CRITICAL POC Act Now

An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PostgreSQL RCE Unitrends Backup
NVD
CVSS 3.1
9.8
EPSS
3.3%
CVE-2021-44427 PHP CRITICAL POC PATCH THREAT Act Now

An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi PostgreSQL Rosariosis
NVD
CVSS 3.1
9.8
EPSS
50.6%
CVE-2021-32028 MEDIUM PATCH This Month

A flaw was found in postgresql. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PostgreSQL Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2021-32029 MEDIUM PATCH This Month

A flaw was found in postgresql. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PostgreSQL Information Disclosure Jboss Enterprise Application Platform
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2021-41558 CRITICAL Act Now

The set_user extension module before 3.0.0 for PostgreSQL allows ProcessUtility_hook bypass via set_config. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PostgreSQL Authentication Bypass Set User
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-38140 CRITICAL PATCH Act Now

The set_user extension module before 2.0.1 for PostgreSQL allows a potential privilege escalation using RESET SESSION AUTHORIZATION after set_user(). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

PostgreSQL Privilege Escalation Set User
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2021-3515 MEDIUM PATCH This Month

A shell injection flaw was found in pglogical in versions before 2.3.4 and before 3.6.26. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

PostgreSQL Command Injection Pglogical
NVD
CVSS 3.1
6.7
EPSS
0.5%
CVE-2021-32027 HIGH PATCH This Week

A flaw was found in postgresql in versions before 13.3, before 12.7, before 11.12, before 10.17 and before 9.6.22. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.

Integer Overflow PostgreSQL Information Disclosure Jboss Enterprise Application Platform Software Collections +1
NVD
CVSS 3.1
8.8
EPSS
2.0%
CVE-2021-33570 MEDIUM POC This Month

Postbird 0.8.4 allows stored XSS via the onerror attribute of an IMG element in any PostgreSQL database table. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PostgreSQL XSS Postbird
NVD GitHub Exploit-DB
CVSS 3.1
5.4
EPSS
3.6%
CVE-2021-33204 CRITICAL PATCH Act Now

In the pg_partman (aka PG Partition Manager) extension before 4.5.1 for PostgreSQL, arbitrary code execution can be achieved via SECURITY DEFINER functions because an explicit search_path is not set. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE PostgreSQL Pg Partman
NVD GitHub
CVSS 3.1
9.8
EPSS
2.2%
CVE-2021-3393 MEDIUM This Month

An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PostgreSQL Information Disclosure Software Collections Enterprise Linux
NVD
CVSS 3.1
4.3
EPSS
1.2%
CVE-2021-20229 MEDIUM This Month

A flaw was found in PostgreSQL in versions before 13.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PostgreSQL Authentication Bypass Software Collections Enterprise Linux Fedora
NVD
CVSS 3.1
4.3
EPSS
1.5%
CVE-2021-22880 Ruby HIGH POC PATCH This Week

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PostgreSQL Denial Of Service Rails Fedora
NVD
CVSS 3.1
7.5
EPSS
4.4%
CVE-2020-25696 HIGH PATCH This Week

A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required.

RCE PostgreSQL Debian Linux
NVD
CVSS 3.1
7.5
EPSS
2.6%
CVE-2020-25695 HIGH This Week

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi PostgreSQL Debian Linux
NVD
CVSS 3.1
8.8
EPSS
46.4%
CVE-2020-25694 HIGH PATCH This Week

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

PostgreSQL Information Disclosure Debian Linux
NVD
CVSS 3.1
8.1
EPSS
1.6%
CVE-2020-10733 HIGH This Week

The Windows installer for PostgreSQL 9.5 - 12 invokes system-provided executables that do not have fully-qualified paths. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

PostgreSQL RCE Microsoft
NVD
CVSS 3.1
7.3
EPSS
0.5%
CVE-2020-14350 HIGH This Week

It was found that some PostgreSQL extensions did not use search_path safely in their installation script. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

PostgreSQL Information Disclosure Debian Linux Leap Ubuntu Linux
NVD
CVSS 3.1
7.3
EPSS
0.5%
CVE-2020-14349 HIGH This Week

It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

SQLi PostgreSQL Leap
NVD
CVSS 3.1
7.1
EPSS
2.2%
CVE-2020-15070 HIGH This Week

Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to the postgres database, and chose to write a crafted custom profile field value. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection PostgreSQL Zulip Server
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2020-17446 PyPI CRITICAL PATCH Act Now

asyncpg before 0.21.0 allows a malicious PostgreSQL server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, because of access to an uninitialized. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PostgreSQL RCE Memory Corruption asyncpg Debian Linux
NVD GitHub
CVSS 3.1
9.8
EPSS
2.4%
CVE-2020-4062 CRITICAL PATCH Act Now

In Conjur OSS Helm Chart before 2.0.0, a recently identified critical vulnerability resulted in the installation of the Conjur Postgres database with an open port. Rated critical severity (CVSS 9.0), this vulnerability is low attack complexity.

Kubernetes Docker PostgreSQL Authentication Bypass Conjur Oss Helm Chart
NVD GitHub
CVSS 3.1
9.0
EPSS
1.4%
CVE-2020-13692 Maven HIGH PATCH This Week

PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

PostgreSQL XXE Postgresql Jdbc Driver Quarkus Steelstore Cloud Integrated Storage +2
NVD GitHub
CVSS 3.1
7.7
EPSS
4.1%
CVE-2020-5865 MEDIUM This Month

In versions prior to 3.3.0, the NGINX Controller is configured to communicate with its Postgres database server over unencrypted channels, making the communicated data vulnerable to interception via. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure PostgreSQL Nginx Nginx Controller Cloud Backup
NVD
CVSS 3.1
4.8
EPSS
0.4%
CVE-2020-11010 PyPI HIGH PATCH This Week

In Tortoise ORM before versions 0.15.23 and 0.16.6, various forms of SQL injection have been found for MySQL and when filtering or doing mass-updates on char/text fields. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi PostgreSQL Tortoise Orm
NVD GitHub
CVSS 3.1
8.8
EPSS
1.0%
CVE-2020-1707 HIGH This Week

A vulnerability was found in all openshift/postgresql-apb 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the container. Rated high severity (CVSS 7.0). No vendor patch available.

Privilege Escalation PostgreSQL Openshift
NVD
CVSS 3.1
7.0
EPSS
0.3%
CVE-2020-1720 MEDIUM PATCH This Month

A flaw was found in PostgreSQL's "ALTER ... Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

PostgreSQL Authentication Bypass Decision Manager Software Collections Enterprise Linux
NVD
CVSS 3.1
6.5
EPSS
1.2%
CVE-2020-7471 PyPI CRITICAL PATCH Act Now

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python SQLi PostgreSQL Django
NVD GitHub
CVSS 3.1
9.8
EPSS
65.3%
CVE-2019-19015 CRITICAL POC Act Now

An issue was discovered in TitanHQ WebTitan before 5.18. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PostgreSQL Information Disclosure Webtitan
NVD
CVSS 3.1
9.8
EPSS
3.3%
CVE-2019-3466 HIGH POC This Week

The pg_ctlcluster script in postgresql-common in versions prior to 210 didn't drop privileges when creating socket/statistics temporary directories, which could result in local privilege escalation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation PostgreSQL Postgresql Common Ubuntu Linux Debian Linux
NVD
CVSS 3.1
7.8
EPSS
0.5%
CVE-2019-10749 npm CRITICAL POC PATCH Act Now

sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi PostgreSQL Sequelize
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2019-10211 CRITICAL Act Now

Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via bundled OpenSSL executing code from unprotected directory. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection OpenSSL PostgreSQL Microsoft RCE
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2019-10210 HIGH This Week

Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via superuser writing password to unprotected temporary file. Rated high severity (CVSS 7.0). No vendor patch available.

PostgreSQL Microsoft Information Disclosure
NVD
CVSS 3.1
7.0
EPSS
0.4%
CVE-2019-10209 LOW Monitor

Postgresql, versions 11.x before 11.5, is vulnerable to a memory disclosure in cross-type comparison for hashed subplan. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. No vendor patch available.

PostgreSQL Buffer Overflow Information Disclosure
NVD
CVSS 3.1
2.2
EPSS
1.1%
CVE-2019-10208 HIGH This Week

A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi PostgreSQL
NVD VulDB
CVSS 3.1
8.8
EPSS
2.2%
CVE-2019-14234 PyPI CRITICAL PATCH Act Now

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PostgreSQL Python Django Fedora +1
NVD
CVSS 3.0
9.8
EPSS
47.7%
CVE-2019-3800 HIGH This Week

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Cloud Foundry Command Line Interface Cloud Foundry Command Line Interface Release Cloud Foundry Deployment Cloud Foundry Deployment Concourse Tasks +42
NVD
CVSS 3.0
7.8
EPSS
2.1%
CVE-2019-10130 MEDIUM This Month

A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass PostgreSQL Leap
NVD
CVSS 3.1
4.3
EPSS
1.1%
CVE-2019-10129 MEDIUM This Month

A vulnerability was found in postgresql versions 11.x prior to 11.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PostgreSQL Buffer Overflow Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
1.6%
CVE-2019-4298 HIGH PATCH This Week

IBM Robotic Process Automation with Automation Anywhere 11 uses a high privileged PostgreSQL account for database access which could allow a local user to perform actions they should not have. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity.

PostgreSQL IBM Information Disclosure Robotic Process Automation With Automation Anywhere
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2019-10164 HIGH This Week

PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PostgreSQL Buffer Overflow Stack Overflow RCE Enterprise Linux +2
NVD
CVSS 3.1
8.8
EPSS
3.7%
CVE-2019-9193 HIGH POC THREAT Act Now

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PostgreSQL Microsoft Apple RCE
NVD Exploit-DB
CVSS 3.0
7.2
EPSS
91.9%
CVE-2018-0468 HIGH This Week

A vulnerability in the configuration of a local database installed as part of the Cisco Energy Management Suite (CEMS) could allow an authenticated, local attacker to access and alter confidential. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass PostgreSQL Cisco Energy Management Suite
NVD
CVSS 3.0
7.8
EPSS
0.3%
CVE-2018-15441 CRITICAL Act Now

A vulnerability in the web framework code of Cisco Prime License Manager (PLM) could allow an unauthenticated, remote attacker to execute arbitrary SQL queries. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PostgreSQL Cisco Prime License Manager
NVD
CVSS 3.0
9.8
EPSS
3.7%
CVE-2018-16850 CRITICAL PATCH Act Now

postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi PostgreSQL Enterprise Linux Ubuntu Linux
NVD
CVSS 3.1
9.8
EPSS
5.1%
CVE-2018-10936 Maven HIGH PATCH This Week

A weakness was found in postgresql-jdbc before version 42.2.5. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure PostgreSQL Postgresql Jdbc Driver Enterprise Linux
NVD
CVSS 3.0
8.1
EPSS
2.9%
CVE-2018-10925 HIGH PATCH This Week

It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass PostgreSQL Ubuntu Linux Debian Linux
NVD
CVSS 3.1
8.1
EPSS
2.2%
CVE-2018-10915 HIGH PATCH This Week

A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi PostgreSQL Openstack Virtualization Enterprise Linux Desktop +5
NVD
CVSS 3.0
7.5
EPSS
5.2%
CVE-2018-5384 CRITICAL POC Act Now

Navarino Infinity web interface up to version 2.2 exposes an unauthenticated script that is prone to blind sql injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PostgreSQL Infinity
NVD
CVSS 3.0
9.8
EPSS
4.4%
CVE-2018-1115 CRITICAL PATCH Act Now

postgresql before versions 10.4, 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs than pg_rorate_logfile. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

Information Disclosure PostgreSQL Leap
NVD
CVSS 3.1
9.1
EPSS
4.0%
CVE-2018-10286 HIGH POC This Week

The Ericsson-LG iPECS NMS A.1Ac web application discloses sensitive information such as the NMS admin credentials and the PostgreSQL database credentials to logged-in users via the responses to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ericsson Information Disclosure PostgreSQL Ipecs Nms
NVD GitHub Exploit-DB
CVSS 3.0
8.8
EPSS
6.6%
CVE-2018-5342 HIGH POC This Week

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: network services (Desktop Central and PostgreSQL) running with a superuser account. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure PostgreSQL Manageengine Desktop Central
NVD
CVSS 3.0
7.2
EPSS
3.8%
CVE-2018-1058 HIGH This Week

A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure PostgreSQL Ubuntu Linux Cloudforms
NVD
CVSS 3.1
8.8
EPSS
14.1%
CVE-2018-1053 HIGH PATCH This Week

In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of. Rated high severity (CVSS 7.0).

Information Disclosure PostgreSQL Debian Linux Ubuntu Linux Cloudforms
NVD
CVSS 3.0
7.0
EPSS
0.5%
CVE-2018-1052 MEDIUM PATCH This Month

Memory disclosure vulnerability in table partitioning was found in postgresql 10.x before 10.2, allowing an authenticated attacker to read arbitrary bytes of server memory via purpose-crafted insert. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure PostgreSQL
NVD
CVSS 3.0
6.5
EPSS
1.8%
CVE-2017-11480 Go HIGH PATCH This Week

Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service PostgreSQL Packetbeat
NVD
CVSS 3.0
7.5
EPSS
0.5%
CVE-2016-1255 HIGH PATCH This Week

The pg_ctlcluster script in postgresql-common package in Debian wheezy before 134wheezy5, in Debian jessie before 165+deb8u2, in Debian unstable before 178, in Ubuntu 12.04 LTS before 129ubuntu1.2,. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Ubuntu Debian PostgreSQL Information Disclosure Postgresql Common
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2017-12172 MEDIUM This Month

PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a non-root operating system account, and database. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

RCE PostgreSQL
NVD
CVSS 3.0
6.7
EPSS
0.1%
CVE-2017-15099 MEDIUM This Month

INSERT ... Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 27.1% and no vendor patch available.

PostgreSQL Information Disclosure Debian Linux
NVD
CVSS 3.0
6.5
EPSS
27.1%
CVE-2017-15098 HIGH This Week

Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PostgreSQL Information Disclosure Debian Linux
NVD
CVSS 3.0
8.1
EPSS
0.9%
CVE-2017-8806 MEDIUM This Month

The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Ubuntu Debian PostgreSQL
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2017-7548 HIGH This Week

PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers with no privileges on a large object to overwrite the entire contents. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service PostgreSQL Authentication Bypass Debian Linux
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2017-7547 HIGH This Week

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PostgreSQL Information Disclosure
NVD
CVSS 3.0
8.8
EPSS
1.0%
CVE-2017-7546 CRITICAL Emergency

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 33.1% and no vendor patch available.

PostgreSQL Authentication Bypass Debian Linux
NVD
CVSS 3.0
9.8
EPSS
33.1%
CVE-2015-3156 PyPI MEDIUM PATCH This Month

The _write_config function in trove/guestagent/datastore/experimental/mongodb/service.py, reset_configuration function in trove/guestagent/datastore/experimental/postgresql/service/config.py,. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Redis PostgreSQL Information Disclosure Trove
NVD GitHub
CVSS 3.0
5.5
EPSS
0.1%
CVE-2017-11693 CRITICAL Act Now

MEDHOST Document Management System contains hard-coded credentials that are used for customer database access. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PostgreSQL Authentication Bypass Medhost Document Management System
NVD
CVSS 3.0
9.1
EPSS
0.2%
CVE-2016-2192 MEDIUM This Month

PostgreSQL PL/Java before 1.5.0 allows remote authenticated users to alter type mappings for types they do not own. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PostgreSQL Java Privilege Escalation Pl Java
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2016-0768 HIGH This Week

PostgreSQL PL/Java after 9.0 does not honor access controls on large objects. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PostgreSQL Authentication Bypass Java
NVD
CVSS 3.0
7.5
EPSS
0.2%
CVE-2016-0767 Maven MEDIUM PATCH This Month

PostgreSQL PL/Java before 1.5.0 allows remote authenticated users with USAGE permission on the public schema to alter the public schema classpath. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

PostgreSQL Java Privilege Escalation Pl Java
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2017-7486 HIGH This Week

PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PostgreSQL Information Disclosure
NVD
CVSS 3.0
7.5
EPSS
4.2%
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

GoCD is an open source continuous delivery server. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity.

Information Disclosure PostgreSQL Gocd
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Soko if the code that powers packages.gentoo.org. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

RCE PostgreSQL SQLi +1
NVD GitHub
EPSS 80% CVSS 8.8
HIGH POC PATCH THREAT This Week

The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Microsoft Code Injection +3
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass PostgreSQL Graphql Engine
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

pgjdbc is an open source postgresql JDBC Driver. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Apple Java +3
NVD GitHub
EPSS 1% CVSS 5.6
MEDIUM PATCH This Month

A vulnerability was found in matrix-appservice-irc up to 0.35.1. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required.

SQLi PostgreSQL Matrix Irc Bridge
NVD GitHub VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Cloud Mobility for Dell Storage versions 1.3.0 and earlier contains an Improper Access Control vulnerability within the Postgres database. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity.

Authentication Bypass Dell PostgreSQL +1
NVD
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

PostgreSQL CSRF Redis +2
NVD GitHub
EPSS 12% CVSS 8.8
HIGH PATCH This Week

A flaw was found in PostgreSQL. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

PostgreSQL Information Disclosure
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PostgreSQL Redis Information Disclosure +2
NVD GitHub
EPSS 2% CVSS 8.0
HIGH This Week

A vulnerability was found in PostgreSQL. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE PostgreSQL Fedora +1
NVD
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PostgreSQL SQLi Loopback Connector Postgresql
NVD GitHub
EPSS 2% CVSS 8.0
HIGH POC PATCH This Week

PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PostgreSQL SQLi Java +3
NVD GitHub
EPSS 3% CVSS 8.1
HIGH POC This Week

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

PHP Denial Of Service PostgreSQL +1
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.15.0 could allow a remote attacker to view product configuration information stored in PostgreSQL, which could be used in further attacks against. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure IBM PostgreSQL +1
NVD
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi PostgreSQL Gin Vue Admin
NVD GitHub
EPSS 49% CVSS 10.0
CRITICAL POC PATCH THREAT Act Now

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Ubuntu RCE Microsoft +2
NVD GitHub
EPSS 3% CVSS 7.2
HIGH POC This Week

Network Olympus version 1.8.0 allows an authenticated admin user to inject SQL queries in '/api/eventinstance' via the 'sqlparameter' JSON parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE SQLi PostgreSQL +1
NVD
EPSS 2% CVSS 8.8
HIGH POC This Week

An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation PostgreSQL Unitrends Backup
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PostgreSQL Brute Force +1
NVD
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PostgreSQL RCE +1
NVD
EPSS 51% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi PostgreSQL +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A flaw was found in postgresql. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PostgreSQL Information Disclosure
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A flaw was found in postgresql. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PostgreSQL Information Disclosure Jboss Enterprise Application Platform
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The set_user extension module before 3.0.0 for PostgreSQL allows ProcessUtility_hook bypass via set_config. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PostgreSQL Authentication Bypass Set User
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

The set_user extension module before 2.0.1 for PostgreSQL allows a potential privilege escalation using RESET SESSION AUTHORIZATION after set_user(). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

PostgreSQL Privilege Escalation Set User
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

A shell injection flaw was found in pglogical in versions before 2.3.4 and before 3.6.26. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

PostgreSQL Command Injection Pglogical
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

A flaw was found in postgresql in versions before 13.3, before 12.7, before 11.12, before 10.17 and before 9.6.22. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.

Integer Overflow PostgreSQL Information Disclosure +3
NVD
EPSS 4% CVSS 5.4
MEDIUM POC This Month

Postbird 0.8.4 allows stored XSS via the onerror attribute of an IMG element in any PostgreSQL database table. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PostgreSQL XSS Postbird
NVD GitHub Exploit-DB
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

In the pg_partman (aka PG Partition Manager) extension before 4.5.1 for PostgreSQL, arbitrary code execution can be achieved via SECURITY DEFINER functions because an explicit search_path is not set. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE PostgreSQL Pg Partman
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM This Month

An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PostgreSQL Information Disclosure Software Collections +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

A flaw was found in PostgreSQL in versions before 13.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PostgreSQL Authentication Bypass Software Collections +2
NVD
EPSS 4% CVSS 7.5
HIGH POC PATCH This Week

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PostgreSQL Denial Of Service Rails +1
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required.

RCE PostgreSQL Debian Linux
NVD
EPSS 46% CVSS 8.8
HIGH This Week

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi PostgreSQL Debian Linux
NVD
EPSS 2% CVSS 8.1
HIGH PATCH This Week

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

PostgreSQL Information Disclosure Debian Linux
NVD
EPSS 1% CVSS 7.3
HIGH This Week

The Windows installer for PostgreSQL 9.5 - 12 invokes system-provided executables that do not have fully-qualified paths. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

PostgreSQL RCE Microsoft
NVD
EPSS 1% CVSS 7.3
HIGH This Week

It was found that some PostgreSQL extensions did not use search_path safely in their installation script. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

PostgreSQL Information Disclosure Debian Linux +2
NVD
EPSS 2% CVSS 7.1
HIGH This Week

It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

SQLi PostgreSQL Leap
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to the postgres database, and chose to write a crafted custom profile field value. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection PostgreSQL +1
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

asyncpg before 0.21.0 allows a malicious PostgreSQL server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, because of access to an uninitialized. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PostgreSQL RCE Memory Corruption +2
NVD GitHub
EPSS 1% CVSS 9.0
CRITICAL PATCH Act Now

In Conjur OSS Helm Chart before 2.0.0, a recently identified critical vulnerability resulted in the installation of the Conjur Postgres database with an open port. Rated critical severity (CVSS 9.0), this vulnerability is low attack complexity.

Kubernetes Docker PostgreSQL +2
NVD GitHub
EPSS 4% CVSS 7.7
HIGH PATCH This Week

PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

PostgreSQL XXE Postgresql Jdbc Driver +4
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

In versions prior to 3.3.0, the NGINX Controller is configured to communicate with its Postgres database server over unencrypted channels, making the communicated data vulnerable to interception via. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure PostgreSQL Nginx +2
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

In Tortoise ORM before versions 0.15.23 and 0.16.6, various forms of SQL injection have been found for MySQL and when filtering or doing mass-updates on char/text fields. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi PostgreSQL Tortoise Orm
NVD GitHub
EPSS 0% CVSS 7.0
HIGH This Week

A vulnerability was found in all openshift/postgresql-apb 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the container. Rated high severity (CVSS 7.0). No vendor patch available.

Privilege Escalation PostgreSQL Openshift
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A flaw was found in PostgreSQL's "ALTER ... Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

PostgreSQL Authentication Bypass Decision Manager +2
NVD
EPSS 65% CVSS 9.8
CRITICAL PATCH Act Now

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python SQLi PostgreSQL +1
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

An issue was discovered in TitanHQ WebTitan before 5.18. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PostgreSQL Information Disclosure Webtitan
NVD
EPSS 0% CVSS 7.8
HIGH POC This Week

The pg_ctlcluster script in postgresql-common in versions prior to 210 didn't drop privileges when creating socket/statistics temporary directories, which could result in local privilege escalation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation PostgreSQL Postgresql Common +2
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi PostgreSQL Sequelize
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via bundled OpenSSL executing code from unprotected directory. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection OpenSSL PostgreSQL +2
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via superuser writing password to unprotected temporary file. Rated high severity (CVSS 7.0). No vendor patch available.

PostgreSQL Microsoft Information Disclosure
NVD
EPSS 1% CVSS 2.2
LOW Monitor

Postgresql, versions 11.x before 11.5, is vulnerable to a memory disclosure in cross-type comparison for hashed subplan. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. No vendor patch available.

PostgreSQL Buffer Overflow Information Disclosure
NVD
EPSS 2% CVSS 8.8
HIGH This Week

A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi PostgreSQL
NVD VulDB
EPSS 48% CVSS 9.8
CRITICAL PATCH Act Now

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PostgreSQL Python +3
NVD
EPSS 2% CVSS 7.8
HIGH This Week

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Cloud Foundry Command Line Interface Cloud Foundry Command Line Interface Release +44
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass PostgreSQL Leap
NVD
EPSS 2% CVSS 6.5
MEDIUM This Month

A vulnerability was found in postgresql versions 11.x prior to 11.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PostgreSQL Buffer Overflow Information Disclosure
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

IBM Robotic Process Automation with Automation Anywhere 11 uses a high privileged PostgreSQL account for database access which could allow a local user to perform actions they should not have. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity.

PostgreSQL IBM Information Disclosure +1
NVD
EPSS 4% CVSS 8.8
HIGH This Week

PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PostgreSQL Buffer Overflow Stack Overflow +4
NVD
EPSS 92% CVSS 7.2
HIGH POC THREAT Act Now

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PostgreSQL Microsoft +2
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH This Week

A vulnerability in the configuration of a local database installed as part of the Cisco Energy Management Suite (CEMS) could allow an authenticated, local attacker to access and alter confidential. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass PostgreSQL Cisco +1
NVD
EPSS 4% CVSS 9.8
CRITICAL Act Now

A vulnerability in the web framework code of Cisco Prime License Manager (PLM) could allow an unauthenticated, remote attacker to execute arbitrary SQL queries. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PostgreSQL Cisco +1
NVD
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi PostgreSQL Enterprise Linux +1
NVD
EPSS 3% CVSS 8.1
HIGH PATCH This Week

A weakness was found in postgresql-jdbc before version 42.2.5. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure PostgreSQL Postgresql Jdbc Driver +1
NVD
EPSS 2% CVSS 8.1
HIGH PATCH This Week

It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass PostgreSQL Ubuntu Linux +1
NVD
EPSS 5% CVSS 7.5
HIGH PATCH This Week

A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi PostgreSQL Openstack +7
NVD
EPSS 4% CVSS 9.8
CRITICAL POC Act Now

Navarino Infinity web interface up to version 2.2 exposes an unauthenticated script that is prone to blind sql injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PostgreSQL Infinity
NVD
EPSS 4% CVSS 9.1
CRITICAL PATCH Act Now

postgresql before versions 10.4, 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs than pg_rorate_logfile. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

Information Disclosure PostgreSQL Leap
NVD
EPSS 7% CVSS 8.8
HIGH POC This Week

The Ericsson-LG iPECS NMS A.1Ac web application discloses sensitive information such as the NMS admin credentials and the PostgreSQL database credentials to logged-in users via the responses to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ericsson Information Disclosure PostgreSQL +1
NVD GitHub Exploit-DB
EPSS 4% CVSS 7.2
HIGH POC This Week

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: network services (Desktop Central and PostgreSQL) running with a superuser account. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure PostgreSQL +1
NVD
EPSS 14% CVSS 8.8
HIGH This Week

A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure PostgreSQL Ubuntu Linux +1
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of. Rated high severity (CVSS 7.0).

Information Disclosure PostgreSQL Debian Linux +2
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Memory disclosure vulnerability in table partitioning was found in postgresql 10.x before 10.2, allowing an authenticated attacker to read arbitrary bytes of server memory via purpose-crafted insert. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure PostgreSQL
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service PostgreSQL Packetbeat
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

The pg_ctlcluster script in postgresql-common package in Debian wheezy before 134wheezy5, in Debian jessie before 165+deb8u2, in Debian unstable before 178, in Ubuntu 12.04 LTS before 129ubuntu1.2,. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Ubuntu Debian PostgreSQL +2
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a non-root operating system account, and database. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

RCE PostgreSQL
NVD
EPSS 27% CVSS 6.5
MEDIUM This Month

INSERT ... Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 27.1% and no vendor patch available.

PostgreSQL Information Disclosure Debian Linux
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PostgreSQL Information Disclosure Debian Linux
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Ubuntu Debian +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers with no privileges on a large object to overwrite the entire contents. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service PostgreSQL Authentication Bypass +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PostgreSQL Information Disclosure
NVD
EPSS 33% CVSS 9.8
CRITICAL Emergency

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 33.1% and no vendor patch available.

PostgreSQL Authentication Bypass Debian Linux
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The _write_config function in trove/guestagent/datastore/experimental/mongodb/service.py, reset_configuration function in trove/guestagent/datastore/experimental/postgresql/service/config.py,. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Redis PostgreSQL Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

MEDHOST Document Management System contains hard-coded credentials that are used for customer database access. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PostgreSQL Authentication Bypass Medhost Document Management System
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

PostgreSQL PL/Java before 1.5.0 allows remote authenticated users to alter type mappings for types they do not own. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PostgreSQL Java Privilege Escalation +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

PostgreSQL PL/Java after 9.0 does not honor access controls on large objects. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PostgreSQL Authentication Bypass Java
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

PostgreSQL PL/Java before 1.5.0 allows remote authenticated users with USAGE permission on the public schema to alter the public schema classpath. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

PostgreSQL Java Privilege Escalation +1
NVD
EPSS 4% CVSS 7.5
HIGH This Week

PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PostgreSQL Information Disclosure
NVD
Prev Page 4 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy