CVE-2026-41889

Published: Mag 08, 2026 Last Modified: Mag 08, 2026
ExploitDB:
Other exploit source:
Google Dorks:
LOW 2,3
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: low
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A

Description

AI Translation Available

pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2.

89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Stable
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Availability Authentication Access Control
Potential Impacts:
Execute Unauthorized Code Or Commands Read Application Data Gain Privileges Or Assume Identity Bypass Protection Mechanism Modify Application Data
Applicable Platforms
Languages: Not Language-Specific, SQL
Technologies: Database Server
Likelihood of Exploit: High
View CWE Details
https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b…
https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da
https://github.com/jackc/pgx/releases/tag/v5.9.2
https://github.com/jackc/pgx/releases/tag/v5.9.2
https://github.com/jackc/pgx/security/advisories/GHSA-j88v-…
https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx