CVE-2026-32885

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

Oracle Linux 8 : go-toolset:ol8 (ELSA-2026-22112)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-22112 advisory. delve 1.25.2-1.0.1 golang 1.25.9-1.0.1 - EXPERIMENTAL: Introduce fipsnoenforceems GODEBUG var - Backported from OL9u7 - Resolves: OLDIS-53586 Tenable...

VulnCheck KEV: CVE-2026-6664

An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet...

[SECURITY] Fedora 43 Update: pgbouncer-1.25.2-1.fc43

pgbouncer is a lightweight connection pooler for PostgreSQL and uses libevent for low-level socket handling...

Fedora 44 : pgbouncer (2026-d3d959a176)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-d3d959a176 advisory. Update to 1.25.2. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested...

Fedora 43 : pgbouncer (2026-fad57ac86d)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-fad57ac86d advisory. Update to 1.25.2. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested...

CVE-2026-6665 affecting package pgbouncer for versions less than 1.25.2-1

CVE-2026-6665 affecting package pgbouncer for versions less than 1.25.2-1. An upgraded version of the package is available that resolves this issue...

CVE-2026-6666 affecting package pgbouncer for versions less than 1.25.2-1

CVE-2026-6666 affecting package pgbouncer for versions less than 1.25.2-1. An upgraded version of the package is available that resolves this issue...

CVE-2026-6667 affecting package pgbouncer for versions less than 1.25.2-1

CVE-2026-6667 affecting package pgbouncer for versions less than 1.25.2-1. An upgraded version of the package is available that resolves this issue...

BIT-PGBOUNCER-2026-6666 PgBouncer crash in kill_pool_logins_server_error

A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE field...

PT-2026-40291

PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL CLIENT admin command. All users with access to the administration console which itself requires authorization could run this command. It would have been correct to allow only users listed in the admin users...

CVE-2026-42560 auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation

auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. ...

CVE-2026-42560 auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation

auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. ...

CVE-2026-42560

auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. ...

CVE-2026-6667

PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILLCLIENT admin command. All users with access to the administration console which itself requires authorization could run this command. It would have been correct to allow only users listed in the adminusers...

CVE-2026-6666

A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE field...

CVE-2026-6667

PgBouncer (pre-1.25.2) contains an authorization flaw in the KILL_CLIENT admin command: any user with access to the administration console could execute the command, instead of restricting it to admins listed in admin_users. This could allow unauthorized clients to be killed. Remediation: upgrade...

CVE-2026-6666

CVE-2026-6666 concerns PgBouncer prior to 1.25.2, where a null pointer reference could cause a crash if a server response is missing an SQLSTATE field. The BIT-OSV entry reiterates the same description; no exploit details or in-the-wild status are provided. The available connected documents do no...

EUVD-2026-28876

An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet...

PgBouncer 安全漏洞

PgBouncer is an open-source, lightweight connection pool for PostgreSQL developed by the PgBouncer community. Prior to version 1.25.2, PgBouncer had a security vulnerability. This vulnerability stemmed from insufficient authorization checks for the KILLCLIENT management command. As long as users...