CVE-2026-41889

LOW EPSS 27.5%
Published May 8, 20261mo ago · Modified Jun 17, 20262w ago
2.3 CVSS 4.0
Low
Find Similar
Published May 8, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2.

CVSS Details

Base Score
2.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
27.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-89 SQL Injection Injection

Affected Products 1

VendorProductVersionRange
jackcpgx* <5.9.2

References 3

  • github.com https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da
    Patch
  • github.com https://github.com/jackc/pgx/releases/tag/v5.9.2
    Release Notes
  • github.com https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx
    MitigationVendor Advisory

Remediation

  • github.com https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da
    Patch