Search

Find a vulnerability

Search criteria

    10 vulnerabilities found for pgx by jackc

    CVE-2026-41889 (GCVE-0-2026-41889)

    Vulnerability from nvd – Published: 2026-05-08 15:53 – Updated: 2026-05-08 19:38
    VLAI
    Title
    pgx: SQL Injection via placeholder confusion with dollar quoted string literals
    Summary
    pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    jackc pgx Affected: < 5.9.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41889",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T19:38:09.336936Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T19:38:34.153Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pgx",
              "vendor": "jackc",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.9.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-08T15:53:00.251Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx"
            },
            {
              "name": "https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da"
            },
            {
              "name": "https://github.com/jackc/pgx/releases/tag/v5.9.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jackc/pgx/releases/tag/v5.9.2"
            }
          ],
          "source": {
            "advisory": "GHSA-j88v-2chj-qfwx",
            "discovery": "UNKNOWN"
          },
          "title": "pgx: SQL Injection via placeholder confusion with dollar quoted string literals"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41889",
        "datePublished": "2026-05-08T15:53:00.251Z",
        "dateReserved": "2026-04-22T15:11:54.671Z",
        "dateUpdated": "2026-05-08T19:38:34.153Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33816 (GCVE-0-2026-33816)

    Vulnerability from nvd – Published: 2026-04-07 15:19 – Updated: 2026-06-30 12:06
    VLAI
    Title
    CVE-2026-33816 in github.com/jackc/pgx
    Summary
    Memory-safety vulnerability in github.com/jackc/pgx/v5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Go
    References
    URL Tags
    https://pkg.go.dev/vuln/GO-2026-4772
    https://access.redhat.com/security/cve/CVE-2026-33816 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2455972 issue-trackingx_refsource_REDHAT
    https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
    https://access.redhat.com/errata/RHSA-2026:17789 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:19137 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:26636 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:22423 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24503 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24539 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:25273 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:13829 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11070 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11217 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:13791 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:13907 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:26519 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24479 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24475 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24482 vendor-advisoryx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    github.com/jackc/pgx/v5 github.com/jackc/pgx/v5/pgproto3 Affected: 0 , < 5.9.0 (semver)
    Create a notification for this product.
    Red Hat Cryostat 4 on RHEL 9     cpe:/a:redhat:cryostat:4::el9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.2
    Create a notification for this product.
    Red Hat Custom Metric Autoscaler 2.19     cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.19::el9
    Create a notification for this product.
    Red Hat Multicluster Global Hub 1.3.4     cpe:/a:redhat:multicluster_globalhub:1.3::el9
    Create a notification for this product.
    Red Hat Multicluster Global Hub 1.7.1     cpe:/a:redhat:multicluster_globalhub:1.7::el9
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.15     cpe:/a:redhat:acm:2.15::el9
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.16     cpe:/a:redhat:acm:2.16::el9
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.10     cpe:/a:redhat:advanced_cluster_security:4.10::el8
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.8     cpe:/a:redhat:advanced_cluster_security:4.8::el8
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.9     cpe:/a:redhat:advanced_cluster_security:4.9::el8
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Red Hat Red Hat OpenShift Pipelines 1.21     cpe:/a:redhat:openshift_pipelines:1.21::el9
    Create a notification for this product.
    Red Hat Red Hat Trusted Artifact Signer 1.3     cpe:/a:redhat:trusted_artifact_signer:1.3::el9
    Create a notification for this product.
    Red Hat Custom Metric Autoscaler operator for Red Hat Openshift     cpe:/a:redhat:openshift_custom_metrics_autoscaler:2
    Create a notification for this product.
    Red Hat Multicluster Engine for Kubernetes     cpe:/a:redhat:multicluster_engine
    Create a notification for this product.
    Red Hat Multicluster Global Hub     cpe:/a:redhat:multicluster_globalhub
    Create a notification for this product.
    Red Hat Red Hat 3scale API Management Platform 2     cpe:/a:redhat:red_hat_3scale_amp:2
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security 4     cpe:/a:redhat:advanced_cluster_security:4
    Create a notification for this product.
    Red Hat Red Hat Edge Manager 1     cpe:/a:redhat:edge_manager:1
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Red Hat Red Hat Openshift Data Foundation 4     cpe:/a:redhat:openshift_data_foundation:4
    Create a notification for this product.
    Red Hat Red Hat Trusted Artifact Signer     cpe:/a:redhat:trusted_artifact_signer:1
    Create a notification for this product.
    Red Hat Zero Trust Workload Identity Manager - Tech Preview     cpe:/a:redhat:zero_trust_workload_identity_manager:0
    Create a notification for this product.
    Red Hat Red Hat Quay 3     cpe:/a:redhat:quay:3
    Create a notification for this product.
    Red Hat Zero Trust Workload Identity Manager     cpe:/a:redhat:zero_trust_workload_identity_manager:1
    Create a notification for this product.
    Red Hat OpenShift Pipelines     cpe:/a:redhat:openshift_pipelines:1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33816",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T14:24:50.570972Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T16:04:30.991Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:cryostat:4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Cryostat 4 on RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.19::el9"
                ],
                "defaultStatus": "affected",
                "product": "Custom Metric Autoscaler 2.19",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_globalhub:1.3::el9"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Global Hub 1.3.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_globalhub:1.7::el9"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Global Hub 1.7.1",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:acm:2.15::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Management for Kubernetes 2.15",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:acm:2.16::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Management for Kubernetes 2.16",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4.10::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Security for Kubernetes 4.10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4.8::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Security for Kubernetes 4.8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4.9::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Security for Kubernetes 4.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_pipelines:1.21::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Pipelines 1.21",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:trusted_artifact_signer:1.3::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Trusted Artifact Signer 1.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2"
                ],
                "defaultStatus": "affected",
                "product": "Custom Metric Autoscaler operator for Red Hat Openshift",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_engine"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Engine for Kubernetes",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_globalhub"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Global Hub",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:red_hat_3scale_amp:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat 3scale API Management Platform 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Security 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:edge_manager:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Edge Manager 1",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Openshift Data Foundation 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:trusted_artifact_signer:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Trusted Artifact Signer",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:zero_trust_workload_identity_manager:0"
                ],
                "defaultStatus": "affected",
                "product": "Zero Trust Workload Identity Manager - Tech Preview",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:quay:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Quay 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:zero_trust_workload_identity_manager:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Zero Trust Workload Identity Manager",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_pipelines:1"
                ],
                "defaultStatus": "unknown",
                "product": "OpenShift Pipelines",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-07T15:19:24.529Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in github.com/jackc/pgx, a PostgreSQL driver for Go. This memory-safety vulnerability could allow an attacker to cause various impacts, such as denial of service (DoS) or potentially arbitrary code execution, by exploiting memory corruption issues. The exact method of exploitation and specific consequences would depend on the nature of the memory corruption."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 8.3,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-787",
                    "description": "Out-of-bounds Write",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:18.981Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-33816"
              },
              {
                "name": "RHBZ#2455972",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455972"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33816.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:17789"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:19137"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26636"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22423"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24503"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24539"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:25273"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:13829"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11070"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11217"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:13791"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:13907"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26519"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24479"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24475"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24482"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:17789: Cryostat 4 on RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:19137: Red Hat Enterprise Linux AppStream (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26636: Custom Metric Autoscaler 2.19"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:22423: Multicluster Global Hub 1.3.4"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24503: Multicluster Global Hub 1.7.1"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24539: Red Hat Advanced Cluster Management for Kubernetes 2.15"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:25273: Red Hat Advanced Cluster Management for Kubernetes 2.16"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:13829: Red Hat Advanced Cluster Security for Kubernetes 4.10"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11070: Red Hat Advanced Cluster Security for Kubernetes 4.8"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11217: Red Hat Advanced Cluster Security for Kubernetes 4.8"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:13791: Red Hat Advanced Cluster Security for Kubernetes 4.9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:13907: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26519: Red Hat OpenShift Pipelines 1.21"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24479: Red Hat Trusted Artifact Signer 1.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24475: Red Hat Trusted Artifact Signer 1.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24482: Red Hat Trusted Artifact Signer 1.3"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-07T16:01:14.142Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-07T15:19:24.529Z",
                "value": "Made public."
              }
            ],
            "title": "github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "github.com/jackc/pgx/v5/pgproto3",
              "product": "github.com/jackc/pgx/v5/pgproto3",
              "programRoutines": [
                {
                  "name": "FunctionCall.Decode"
                },
                {
                  "name": "Backend.Receive"
                }
              ],
              "vendor": "github.com/jackc/pgx/v5",
              "versions": [
                {
                  "lessThan": "5.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Memory-safety vulnerability in github.com/jackc/pgx/v5."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-697 \u2014 Incorrect Comparison",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-15T15:49:13.116Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-4772"
            }
          ],
          "title": "CVE-2026-33816 in github.com/jackc/pgx"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2026-33816",
        "datePublished": "2026-04-07T15:19:24.529Z",
        "dateReserved": "2026-03-23T20:35:32.814Z",
        "dateUpdated": "2026-06-30T12:06:18.981Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33815 (GCVE-0-2026-33815)

    Vulnerability from nvd – Published: 2026-04-07 15:19 – Updated: 2026-06-30 12:07
    VLAI
    Title
    CVE-2026-33815 in github.com/jackc/pgx
    Summary
    Memory-safety vulnerability in github.com/jackc/pgx/v5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    Assigner
    Go
    References
    URL Tags
    https://pkg.go.dev/vuln/GO-2026-4771
    https://access.redhat.com/security/cve/CVE-2026-33815 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2455975 issue-trackingx_refsource_REDHAT
    https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
    https://access.redhat.com/errata/RHSA-2026:17789 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:26636 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:22423 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24503 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24539 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:25273 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:13829 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11070 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11217 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:13791 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24479 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24475 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24482 vendor-advisoryx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    github.com/jackc/pgx/v5 github.com/jackc/pgx/v5/pgproto3 Affected: 0 , < 5.9.0 (semver)
    Create a notification for this product.
    Red Hat Cryostat 4 on RHEL 9     cpe:/a:redhat:cryostat:4::el9
    Create a notification for this product.
    Red Hat Custom Metric Autoscaler 2.19     cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.19::el9
    Create a notification for this product.
    Red Hat Multicluster Global Hub 1.3.4     cpe:/a:redhat:multicluster_globalhub:1.3::el9
    Create a notification for this product.
    Red Hat Multicluster Global Hub 1.7.1     cpe:/a:redhat:multicluster_globalhub:1.7::el9
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.15     cpe:/a:redhat:acm:2.15::el9
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.16     cpe:/a:redhat:acm:2.16::el9
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.10     cpe:/a:redhat:advanced_cluster_security:4.10::el8
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.8     cpe:/a:redhat:advanced_cluster_security:4.8::el8
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.9     cpe:/a:redhat:advanced_cluster_security:4.9::el8
    Create a notification for this product.
    Red Hat Red Hat Trusted Artifact Signer 1.3     cpe:/a:redhat:trusted_artifact_signer:1.3::el9
    Create a notification for this product.
    Red Hat Custom Metric Autoscaler operator for Red Hat Openshift     cpe:/a:redhat:openshift_custom_metrics_autoscaler:2
    Create a notification for this product.
    Red Hat Multicluster Engine for Kubernetes     cpe:/a:redhat:multicluster_engine
    Create a notification for this product.
    Red Hat Multicluster Global Hub     cpe:/a:redhat:multicluster_globalhub
    Create a notification for this product.
    Red Hat OpenShift Pipelines     cpe:/a:redhat:openshift_pipelines:1
    Create a notification for this product.
    Red Hat Red Hat 3scale API Management Platform 2     cpe:/a:redhat:red_hat_3scale_amp:2
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security 4     cpe:/a:redhat:advanced_cluster_security:4
    Create a notification for this product.
    Red Hat Red Hat Edge Manager 1     cpe:/a:redhat:edge_manager:1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Red Hat Red Hat Openshift Data Foundation 4     cpe:/a:redhat:openshift_data_foundation:4
    Create a notification for this product.
    Red Hat Red Hat Trusted Artifact Signer     cpe:/a:redhat:trusted_artifact_signer:1
    Create a notification for this product.
    Red Hat Zero Trust Workload Identity Manager - Tech Preview     cpe:/a:redhat:zero_trust_workload_identity_manager:0
    Create a notification for this product.
    Red Hat Red Hat Quay 3     cpe:/a:redhat:quay:3
    Create a notification for this product.
    Red Hat Zero Trust Workload Identity Manager     cpe:/a:redhat:zero_trust_workload_identity_manager:1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33815",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T14:21:42.714758Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T16:04:02.725Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:cryostat:4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Cryostat 4 on RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.19::el9"
                ],
                "defaultStatus": "affected",
                "product": "Custom Metric Autoscaler 2.19",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_globalhub:1.3::el9"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Global Hub 1.3.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_globalhub:1.7::el9"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Global Hub 1.7.1",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:acm:2.15::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Management for Kubernetes 2.15",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:acm:2.16::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Management for Kubernetes 2.16",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4.10::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Security for Kubernetes 4.10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4.8::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Security for Kubernetes 4.8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4.9::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Security for Kubernetes 4.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:trusted_artifact_signer:1.3::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Trusted Artifact Signer 1.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2"
                ],
                "defaultStatus": "affected",
                "product": "Custom Metric Autoscaler operator for Red Hat Openshift",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_engine"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Engine for Kubernetes",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_globalhub"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Global Hub",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_pipelines:1"
                ],
                "defaultStatus": "affected",
                "product": "OpenShift Pipelines",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:red_hat_3scale_amp:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat 3scale API Management Platform 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Security 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:edge_manager:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Edge Manager 1",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Openshift Data Foundation 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:trusted_artifact_signer:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Trusted Artifact Signer",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:zero_trust_workload_identity_manager:0"
                ],
                "defaultStatus": "affected",
                "product": "Zero Trust Workload Identity Manager - Tech Preview",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:quay:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Quay 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:zero_trust_workload_identity_manager:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Zero Trust Workload Identity Manager",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-07T15:19:24.344Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in github.com/jackc/pgx. This memory-safety vulnerability could potentially lead to unexpected behavior or system instability."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 8.3,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-787",
                    "description": "Out-of-bounds Write",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:07:31.877Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-33815"
              },
              {
                "name": "RHBZ#2455975",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455975"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33815.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:17789"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26636"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22423"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24503"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24539"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:25273"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:13829"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11070"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11217"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:13791"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24479"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24475"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24482"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:17789: Cryostat 4 on RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26636: Custom Metric Autoscaler 2.19"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:22423: Multicluster Global Hub 1.3.4"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24503: Multicluster Global Hub 1.7.1"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24539: Red Hat Advanced Cluster Management for Kubernetes 2.15"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:25273: Red Hat Advanced Cluster Management for Kubernetes 2.16"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:13829: Red Hat Advanced Cluster Security for Kubernetes 4.10"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11070: Red Hat Advanced Cluster Security for Kubernetes 4.8"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11217: Red Hat Advanced Cluster Security for Kubernetes 4.8"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:13791: Red Hat Advanced Cluster Security for Kubernetes 4.9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24479: Red Hat Trusted Artifact Signer 1.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24475: Red Hat Trusted Artifact Signer 1.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24482: Red Hat Trusted Artifact Signer 1.3"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-07T16:01:25.130Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-07T15:19:24.344Z",
                "value": "Made public."
              }
            ],
            "title": "github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "github.com/jackc/pgx/v5/pgproto3",
              "product": "github.com/jackc/pgx/v5/pgproto3",
              "programRoutines": [
                {
                  "name": "Bind.Decode"
                },
                {
                  "name": "Backend.Receive"
                }
              ],
              "vendor": "github.com/jackc/pgx/v5",
              "versions": [
                {
                  "lessThan": "5.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Memory-safety vulnerability in github.com/jackc/pgx/v5."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-129 \u2014 Improper Validation of Array Index",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T18:30:29.157Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-4771"
            }
          ],
          "title": "CVE-2026-33815 in github.com/jackc/pgx"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2026-33815",
        "datePublished": "2026-04-07T15:19:24.344Z",
        "dateReserved": "2026-03-23T20:35:32.814Z",
        "dateUpdated": "2026-06-30T12:07:31.877Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-27304 (GCVE-0-2024-27304)

    Vulnerability from nvd – Published: 2024-03-06 19:07 – Updated: 2024-12-12 20:52
    VLAI
    Title
    pgx SQL Injection via Protocol Message Size Overflow
    Summary
    pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    Impacted products
    Vendor Product Version
    jackc pgx Affected: < 4.18.2
    Affected: >= 5.0.0, < 5.5.4
    Create a notification for this product.
    jackc pgx Affected: 0 , < 4.18.2 (custom)
        cpe:2.3:a:jackc:pgx:*:*:*:*:*:*:*:*
    Create a notification for this product.
    jackc pgx Affected: 5.0.0 , < 5.5.4 (custom)
        cpe:2.3:a:jackc:pgx:5.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jackc:pgx:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "pgx",
                "vendor": "jackc",
                "versions": [
                  {
                    "lessThan": "4.18.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:jackc:pgx:5.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "pgx",
                "vendor": "jackc",
                "versions": [
                  {
                    "lessThan": "5.5.4",
                    "status": "affected",
                    "version": "5.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-27304",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-06T20:31:57.168692Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-25T16:31:36.133Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:27:59.959Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv"
              },
              {
                "name": "https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8"
              },
              {
                "name": "https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007"
              },
              {
                "name": "https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4"
              },
              {
                "name": "https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8"
              },
              {
                "name": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pgx",
              "vendor": "jackc",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.18.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c 5.5.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker\u0027s control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-12T20:52:24.821Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv"
            },
            {
              "name": "https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8"
            },
            {
              "name": "https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007"
            },
            {
              "name": "https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4"
            },
            {
              "name": "https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8"
            },
            {
              "name": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df"
            },
            {
              "name": "https://www.youtube.com/watch?v=Tfg1B8u1yvE",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.youtube.com/watch?v=Tfg1B8u1yvE"
            }
          ],
          "source": {
            "advisory": "GHSA-mrww-27vc-gghv",
            "discovery": "UNKNOWN"
          },
          "title": "pgx SQL Injection via Protocol Message Size Overflow"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-27304",
        "datePublished": "2024-03-06T19:07:08.491Z",
        "dateReserved": "2024-02-22T18:08:38.875Z",
        "dateUpdated": "2024-12-12T20:52:24.821Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-27289 (GCVE-0-2024-27289)

    Vulnerability from nvd – Published: 2024-03-06 18:28 – Updated: 2025-06-12 15:45
    VLAI
    Title
    pgx SQL Injection via Line Comment Creation
    Summary
    pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    jackc pgx Affected: < 4.18.2
    Create a notification for this product.
    jackc pgx Affected: 0 , < 4.18.2 (custom)
        cpe:2.3:a:jackc:pgx:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jackc:pgx:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "pgx",
                "vendor": "jackc",
                "versions": [
                  {
                    "lessThan": "4.18.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-27289",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-24T14:13:55.313789Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T15:55:01.536Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-06-12T15:45:56.361Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/"
              },
              {
                "name": "https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p"
              },
              {
                "name": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df"
              }
            ],
            "title": "CVE Program Container",
            "x_generator": {
              "engine": "ADPogram 0.0.1"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pgx",
              "vendor": "jackc",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.18.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-03-06T18:28:12.291Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p"
            },
            {
              "name": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df"
            }
          ],
          "source": {
            "advisory": "GHSA-m7wr-2xf7-cm9p",
            "discovery": "UNKNOWN"
          },
          "title": "pgx SQL Injection via Line Comment Creation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-27289",
        "datePublished": "2024-03-06T18:28:12.291Z",
        "dateReserved": "2024-02-22T18:08:38.873Z",
        "dateUpdated": "2025-06-12T15:45:56.361Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-41889 (GCVE-0-2026-41889)

    Vulnerability from cvelistv5 – Published: 2026-05-08 15:53 – Updated: 2026-05-08 19:38
    VLAI
    Title
    pgx: SQL Injection via placeholder confusion with dollar quoted string literals
    Summary
    pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    jackc pgx Affected: < 5.9.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41889",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T19:38:09.336936Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T19:38:34.153Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pgx",
              "vendor": "jackc",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.9.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-08T15:53:00.251Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx"
            },
            {
              "name": "https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da"
            },
            {
              "name": "https://github.com/jackc/pgx/releases/tag/v5.9.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jackc/pgx/releases/tag/v5.9.2"
            }
          ],
          "source": {
            "advisory": "GHSA-j88v-2chj-qfwx",
            "discovery": "UNKNOWN"
          },
          "title": "pgx: SQL Injection via placeholder confusion with dollar quoted string literals"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41889",
        "datePublished": "2026-05-08T15:53:00.251Z",
        "dateReserved": "2026-04-22T15:11:54.671Z",
        "dateUpdated": "2026-05-08T19:38:34.153Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33816 (GCVE-0-2026-33816)

    Vulnerability from cvelistv5 – Published: 2026-04-07 15:19 – Updated: 2026-06-30 12:06
    VLAI
    Title
    CVE-2026-33816 in github.com/jackc/pgx
    Summary
    Memory-safety vulnerability in github.com/jackc/pgx/v5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Go
    References
    URL Tags
    https://pkg.go.dev/vuln/GO-2026-4772
    https://access.redhat.com/security/cve/CVE-2026-33816 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2455972 issue-trackingx_refsource_REDHAT
    https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
    https://access.redhat.com/errata/RHSA-2026:17789 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:19137 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:26636 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:22423 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24503 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24539 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:25273 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:13829 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11070 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11217 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:13791 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:13907 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:26519 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24479 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24475 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24482 vendor-advisoryx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    github.com/jackc/pgx/v5 github.com/jackc/pgx/v5/pgproto3 Affected: 0 , < 5.9.0 (semver)
    Create a notification for this product.
    Red Hat Cryostat 4 on RHEL 9     cpe:/a:redhat:cryostat:4::el9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.2
    Create a notification for this product.
    Red Hat Custom Metric Autoscaler 2.19     cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.19::el9
    Create a notification for this product.
    Red Hat Multicluster Global Hub 1.3.4     cpe:/a:redhat:multicluster_globalhub:1.3::el9
    Create a notification for this product.
    Red Hat Multicluster Global Hub 1.7.1     cpe:/a:redhat:multicluster_globalhub:1.7::el9
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.15     cpe:/a:redhat:acm:2.15::el9
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.16     cpe:/a:redhat:acm:2.16::el9
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.10     cpe:/a:redhat:advanced_cluster_security:4.10::el8
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.8     cpe:/a:redhat:advanced_cluster_security:4.8::el8
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.9     cpe:/a:redhat:advanced_cluster_security:4.9::el8
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Red Hat Red Hat OpenShift Pipelines 1.21     cpe:/a:redhat:openshift_pipelines:1.21::el9
    Create a notification for this product.
    Red Hat Red Hat Trusted Artifact Signer 1.3     cpe:/a:redhat:trusted_artifact_signer:1.3::el9
    Create a notification for this product.
    Red Hat Custom Metric Autoscaler operator for Red Hat Openshift     cpe:/a:redhat:openshift_custom_metrics_autoscaler:2
    Create a notification for this product.
    Red Hat Multicluster Engine for Kubernetes     cpe:/a:redhat:multicluster_engine
    Create a notification for this product.
    Red Hat Multicluster Global Hub     cpe:/a:redhat:multicluster_globalhub
    Create a notification for this product.
    Red Hat Red Hat 3scale API Management Platform 2     cpe:/a:redhat:red_hat_3scale_amp:2
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security 4     cpe:/a:redhat:advanced_cluster_security:4
    Create a notification for this product.
    Red Hat Red Hat Edge Manager 1     cpe:/a:redhat:edge_manager:1
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Red Hat Red Hat Openshift Data Foundation 4     cpe:/a:redhat:openshift_data_foundation:4
    Create a notification for this product.
    Red Hat Red Hat Trusted Artifact Signer     cpe:/a:redhat:trusted_artifact_signer:1
    Create a notification for this product.
    Red Hat Zero Trust Workload Identity Manager - Tech Preview     cpe:/a:redhat:zero_trust_workload_identity_manager:0
    Create a notification for this product.
    Red Hat Red Hat Quay 3     cpe:/a:redhat:quay:3
    Create a notification for this product.
    Red Hat Zero Trust Workload Identity Manager     cpe:/a:redhat:zero_trust_workload_identity_manager:1
    Create a notification for this product.
    Red Hat OpenShift Pipelines     cpe:/a:redhat:openshift_pipelines:1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33816",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T14:24:50.570972Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T16:04:30.991Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:cryostat:4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Cryostat 4 on RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.19::el9"
                ],
                "defaultStatus": "affected",
                "product": "Custom Metric Autoscaler 2.19",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_globalhub:1.3::el9"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Global Hub 1.3.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_globalhub:1.7::el9"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Global Hub 1.7.1",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:acm:2.15::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Management for Kubernetes 2.15",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:acm:2.16::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Management for Kubernetes 2.16",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4.10::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Security for Kubernetes 4.10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4.8::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Security for Kubernetes 4.8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4.9::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Security for Kubernetes 4.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_pipelines:1.21::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Pipelines 1.21",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:trusted_artifact_signer:1.3::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Trusted Artifact Signer 1.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2"
                ],
                "defaultStatus": "affected",
                "product": "Custom Metric Autoscaler operator for Red Hat Openshift",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_engine"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Engine for Kubernetes",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_globalhub"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Global Hub",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:red_hat_3scale_amp:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat 3scale API Management Platform 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Security 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:edge_manager:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Edge Manager 1",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Openshift Data Foundation 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:trusted_artifact_signer:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Trusted Artifact Signer",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:zero_trust_workload_identity_manager:0"
                ],
                "defaultStatus": "affected",
                "product": "Zero Trust Workload Identity Manager - Tech Preview",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:quay:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Quay 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:zero_trust_workload_identity_manager:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Zero Trust Workload Identity Manager",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_pipelines:1"
                ],
                "defaultStatus": "unknown",
                "product": "OpenShift Pipelines",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-07T15:19:24.529Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in github.com/jackc/pgx, a PostgreSQL driver for Go. This memory-safety vulnerability could allow an attacker to cause various impacts, such as denial of service (DoS) or potentially arbitrary code execution, by exploiting memory corruption issues. The exact method of exploitation and specific consequences would depend on the nature of the memory corruption."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 8.3,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-787",
                    "description": "Out-of-bounds Write",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:18.981Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-33816"
              },
              {
                "name": "RHBZ#2455972",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455972"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33816.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:17789"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:19137"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26636"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22423"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24503"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24539"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:25273"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:13829"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11070"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11217"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:13791"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:13907"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26519"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24479"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24475"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24482"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:17789: Cryostat 4 on RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:19137: Red Hat Enterprise Linux AppStream (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26636: Custom Metric Autoscaler 2.19"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:22423: Multicluster Global Hub 1.3.4"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24503: Multicluster Global Hub 1.7.1"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24539: Red Hat Advanced Cluster Management for Kubernetes 2.15"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:25273: Red Hat Advanced Cluster Management for Kubernetes 2.16"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:13829: Red Hat Advanced Cluster Security for Kubernetes 4.10"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11070: Red Hat Advanced Cluster Security for Kubernetes 4.8"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11217: Red Hat Advanced Cluster Security for Kubernetes 4.8"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:13791: Red Hat Advanced Cluster Security for Kubernetes 4.9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:13907: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26519: Red Hat OpenShift Pipelines 1.21"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24479: Red Hat Trusted Artifact Signer 1.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24475: Red Hat Trusted Artifact Signer 1.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24482: Red Hat Trusted Artifact Signer 1.3"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-07T16:01:14.142Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-07T15:19:24.529Z",
                "value": "Made public."
              }
            ],
            "title": "github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "github.com/jackc/pgx/v5/pgproto3",
              "product": "github.com/jackc/pgx/v5/pgproto3",
              "programRoutines": [
                {
                  "name": "FunctionCall.Decode"
                },
                {
                  "name": "Backend.Receive"
                }
              ],
              "vendor": "github.com/jackc/pgx/v5",
              "versions": [
                {
                  "lessThan": "5.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Memory-safety vulnerability in github.com/jackc/pgx/v5."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-697 \u2014 Incorrect Comparison",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-15T15:49:13.116Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-4772"
            }
          ],
          "title": "CVE-2026-33816 in github.com/jackc/pgx"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2026-33816",
        "datePublished": "2026-04-07T15:19:24.529Z",
        "dateReserved": "2026-03-23T20:35:32.814Z",
        "dateUpdated": "2026-06-30T12:06:18.981Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33815 (GCVE-0-2026-33815)

    Vulnerability from cvelistv5 – Published: 2026-04-07 15:19 – Updated: 2026-06-30 12:07
    VLAI
    Title
    CVE-2026-33815 in github.com/jackc/pgx
    Summary
    Memory-safety vulnerability in github.com/jackc/pgx/v5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    Assigner
    Go
    References
    URL Tags
    https://pkg.go.dev/vuln/GO-2026-4771
    https://access.redhat.com/security/cve/CVE-2026-33815 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2455975 issue-trackingx_refsource_REDHAT
    https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
    https://access.redhat.com/errata/RHSA-2026:17789 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:26636 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:22423 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24503 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24539 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:25273 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:13829 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11070 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11217 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:13791 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24479 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24475 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:24482 vendor-advisoryx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    github.com/jackc/pgx/v5 github.com/jackc/pgx/v5/pgproto3 Affected: 0 , < 5.9.0 (semver)
    Create a notification for this product.
    Red Hat Cryostat 4 on RHEL 9     cpe:/a:redhat:cryostat:4::el9
    Create a notification for this product.
    Red Hat Custom Metric Autoscaler 2.19     cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.19::el9
    Create a notification for this product.
    Red Hat Multicluster Global Hub 1.3.4     cpe:/a:redhat:multicluster_globalhub:1.3::el9
    Create a notification for this product.
    Red Hat Multicluster Global Hub 1.7.1     cpe:/a:redhat:multicluster_globalhub:1.7::el9
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.15     cpe:/a:redhat:acm:2.15::el9
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.16     cpe:/a:redhat:acm:2.16::el9
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.10     cpe:/a:redhat:advanced_cluster_security:4.10::el8
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.8     cpe:/a:redhat:advanced_cluster_security:4.8::el8
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.9     cpe:/a:redhat:advanced_cluster_security:4.9::el8
    Create a notification for this product.
    Red Hat Red Hat Trusted Artifact Signer 1.3     cpe:/a:redhat:trusted_artifact_signer:1.3::el9
    Create a notification for this product.
    Red Hat Custom Metric Autoscaler operator for Red Hat Openshift     cpe:/a:redhat:openshift_custom_metrics_autoscaler:2
    Create a notification for this product.
    Red Hat Multicluster Engine for Kubernetes     cpe:/a:redhat:multicluster_engine
    Create a notification for this product.
    Red Hat Multicluster Global Hub     cpe:/a:redhat:multicluster_globalhub
    Create a notification for this product.
    Red Hat OpenShift Pipelines     cpe:/a:redhat:openshift_pipelines:1
    Create a notification for this product.
    Red Hat Red Hat 3scale API Management Platform 2     cpe:/a:redhat:red_hat_3scale_amp:2
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security 4     cpe:/a:redhat:advanced_cluster_security:4
    Create a notification for this product.
    Red Hat Red Hat Edge Manager 1     cpe:/a:redhat:edge_manager:1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Red Hat Red Hat Openshift Data Foundation 4     cpe:/a:redhat:openshift_data_foundation:4
    Create a notification for this product.
    Red Hat Red Hat Trusted Artifact Signer     cpe:/a:redhat:trusted_artifact_signer:1
    Create a notification for this product.
    Red Hat Zero Trust Workload Identity Manager - Tech Preview     cpe:/a:redhat:zero_trust_workload_identity_manager:0
    Create a notification for this product.
    Red Hat Red Hat Quay 3     cpe:/a:redhat:quay:3
    Create a notification for this product.
    Red Hat Zero Trust Workload Identity Manager     cpe:/a:redhat:zero_trust_workload_identity_manager:1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33815",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T14:21:42.714758Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T16:04:02.725Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:cryostat:4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Cryostat 4 on RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.19::el9"
                ],
                "defaultStatus": "affected",
                "product": "Custom Metric Autoscaler 2.19",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_globalhub:1.3::el9"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Global Hub 1.3.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_globalhub:1.7::el9"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Global Hub 1.7.1",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:acm:2.15::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Management for Kubernetes 2.15",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:acm:2.16::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Management for Kubernetes 2.16",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4.10::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Security for Kubernetes 4.10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4.8::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Security for Kubernetes 4.8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4.9::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Security for Kubernetes 4.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:trusted_artifact_signer:1.3::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Trusted Artifact Signer 1.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2"
                ],
                "defaultStatus": "affected",
                "product": "Custom Metric Autoscaler operator for Red Hat Openshift",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_engine"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Engine for Kubernetes",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_globalhub"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Global Hub",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_pipelines:1"
                ],
                "defaultStatus": "affected",
                "product": "OpenShift Pipelines",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:red_hat_3scale_amp:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat 3scale API Management Platform 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Advanced Cluster Security 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:edge_manager:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Edge Manager 1",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Openshift Data Foundation 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:trusted_artifact_signer:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Trusted Artifact Signer",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:zero_trust_workload_identity_manager:0"
                ],
                "defaultStatus": "affected",
                "product": "Zero Trust Workload Identity Manager - Tech Preview",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:quay:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Quay 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:zero_trust_workload_identity_manager:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Zero Trust Workload Identity Manager",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-07T15:19:24.344Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in github.com/jackc/pgx. This memory-safety vulnerability could potentially lead to unexpected behavior or system instability."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 8.3,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-787",
                    "description": "Out-of-bounds Write",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:07:31.877Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-33815"
              },
              {
                "name": "RHBZ#2455975",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455975"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33815.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:17789"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26636"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22423"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24503"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24539"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:25273"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:13829"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11070"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11217"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:13791"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24479"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24475"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24482"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:17789: Cryostat 4 on RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26636: Custom Metric Autoscaler 2.19"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:22423: Multicluster Global Hub 1.3.4"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24503: Multicluster Global Hub 1.7.1"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24539: Red Hat Advanced Cluster Management for Kubernetes 2.15"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:25273: Red Hat Advanced Cluster Management for Kubernetes 2.16"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:13829: Red Hat Advanced Cluster Security for Kubernetes 4.10"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11070: Red Hat Advanced Cluster Security for Kubernetes 4.8"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11217: Red Hat Advanced Cluster Security for Kubernetes 4.8"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:13791: Red Hat Advanced Cluster Security for Kubernetes 4.9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24479: Red Hat Trusted Artifact Signer 1.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24475: Red Hat Trusted Artifact Signer 1.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24482: Red Hat Trusted Artifact Signer 1.3"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-07T16:01:25.130Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-07T15:19:24.344Z",
                "value": "Made public."
              }
            ],
            "title": "github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "github.com/jackc/pgx/v5/pgproto3",
              "product": "github.com/jackc/pgx/v5/pgproto3",
              "programRoutines": [
                {
                  "name": "Bind.Decode"
                },
                {
                  "name": "Backend.Receive"
                }
              ],
              "vendor": "github.com/jackc/pgx/v5",
              "versions": [
                {
                  "lessThan": "5.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Memory-safety vulnerability in github.com/jackc/pgx/v5."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-129 \u2014 Improper Validation of Array Index",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T18:30:29.157Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-4771"
            }
          ],
          "title": "CVE-2026-33815 in github.com/jackc/pgx"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2026-33815",
        "datePublished": "2026-04-07T15:19:24.344Z",
        "dateReserved": "2026-03-23T20:35:32.814Z",
        "dateUpdated": "2026-06-30T12:07:31.877Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-27304 (GCVE-0-2024-27304)

    Vulnerability from cvelistv5 – Published: 2024-03-06 19:07 – Updated: 2024-12-12 20:52
    VLAI
    Title
    pgx SQL Injection via Protocol Message Size Overflow
    Summary
    pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    Impacted products
    Vendor Product Version
    jackc pgx Affected: < 4.18.2
    Affected: >= 5.0.0, < 5.5.4
    Create a notification for this product.
    jackc pgx Affected: 0 , < 4.18.2 (custom)
        cpe:2.3:a:jackc:pgx:*:*:*:*:*:*:*:*
    Create a notification for this product.
    jackc pgx Affected: 5.0.0 , < 5.5.4 (custom)
        cpe:2.3:a:jackc:pgx:5.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jackc:pgx:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "pgx",
                "vendor": "jackc",
                "versions": [
                  {
                    "lessThan": "4.18.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:jackc:pgx:5.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "pgx",
                "vendor": "jackc",
                "versions": [
                  {
                    "lessThan": "5.5.4",
                    "status": "affected",
                    "version": "5.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-27304",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-06T20:31:57.168692Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-25T16:31:36.133Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:27:59.959Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv"
              },
              {
                "name": "https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8"
              },
              {
                "name": "https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007"
              },
              {
                "name": "https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4"
              },
              {
                "name": "https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8"
              },
              {
                "name": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pgx",
              "vendor": "jackc",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.18.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c 5.5.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker\u0027s control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-12T20:52:24.821Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv"
            },
            {
              "name": "https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8"
            },
            {
              "name": "https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007"
            },
            {
              "name": "https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4"
            },
            {
              "name": "https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8"
            },
            {
              "name": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df"
            },
            {
              "name": "https://www.youtube.com/watch?v=Tfg1B8u1yvE",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.youtube.com/watch?v=Tfg1B8u1yvE"
            }
          ],
          "source": {
            "advisory": "GHSA-mrww-27vc-gghv",
            "discovery": "UNKNOWN"
          },
          "title": "pgx SQL Injection via Protocol Message Size Overflow"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-27304",
        "datePublished": "2024-03-06T19:07:08.491Z",
        "dateReserved": "2024-02-22T18:08:38.875Z",
        "dateUpdated": "2024-12-12T20:52:24.821Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-27289 (GCVE-0-2024-27289)

    Vulnerability from cvelistv5 – Published: 2024-03-06 18:28 – Updated: 2025-06-12 15:45
    VLAI
    Title
    pgx SQL Injection via Line Comment Creation
    Summary
    pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    jackc pgx Affected: < 4.18.2
    Create a notification for this product.
    jackc pgx Affected: 0 , < 4.18.2 (custom)
        cpe:2.3:a:jackc:pgx:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jackc:pgx:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "pgx",
                "vendor": "jackc",
                "versions": [
                  {
                    "lessThan": "4.18.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-27289",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-24T14:13:55.313789Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T15:55:01.536Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-06-12T15:45:56.361Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/"
              },
              {
                "name": "https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p"
              },
              {
                "name": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df"
              }
            ],
            "title": "CVE Program Container",
            "x_generator": {
              "engine": "ADPogram 0.0.1"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pgx",
              "vendor": "jackc",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.18.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-03-06T18:28:12.291Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p"
            },
            {
              "name": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df"
            }
          ],
          "source": {
            "advisory": "GHSA-m7wr-2xf7-cm9p",
            "discovery": "UNKNOWN"
          },
          "title": "pgx SQL Injection via Line Comment Creation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-27289",
        "datePublished": "2024-03-06T18:28:12.291Z",
        "dateReserved": "2024-02-22T18:08:38.873Z",
        "dateUpdated": "2025-06-12T15:45:56.361Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }