postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database...

Important: Red Hat Security Advisory: postgresql:15 security update

An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severi...

SQL Injection

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to SQL Injection in the Increment operation on PostgreSQL when handling nested object fields using dot notation. An attacker ca...

GHSA-GQPP-XGVH-9H7H Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL

Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write...

EUVD-2026-11277

Parse Server vulnerable to SQL Injection via dot-notation sub-key name in Increment operation on PostgreSQL...

Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL

Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write...

EUVD-2026-11255

Parse Server vulnerable to SQL injection via Increment operation on nested object field in PostgreSQL...

GHSA-Q3VJ-96H2-GWVG Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL

Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker...

Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL

Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker...

PT-2026-24760

Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write...

Parse Server SQL注入漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. Versions of Parse Server prior to 9.6.0-alpha.3 and 8.6.29 have a SQL injection vulnerability. This vulnerability stems from the improper handling of the Increme...

Parse Server SQL注入漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 9.6.0-alpha.10 and 8.6.36 contain a SQL injection vulnerability. This vulnerability arises when PostgreSQL database is used in...

PT-2026-24689

Impact The protectedFields class-level permission CLP can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This...

PT-2026-24750

Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker...

Parse Server SQL注入漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. Versions of Parse Server prior to 9.6.0-alpha.5 and 8.6.31 have a SQL injection vulnerability. This vulnerability stems from the improper handling of subkey name...

PT-2026-24825

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.10 and 8.6.36, an attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with...

AlmaLinux 9 : postgresql:15 (ALSA-2026:3896)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:3896 advisory. postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code CVE-2026-2006 postgresql: PostgreSQL intarray missing...

AlmaLinux 8 : postgresql:16 (ALSA-2026:4063)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:4063 advisory. postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code CVE-2026-2006 postgresql: PostgreSQL intarray missing...

Oracle Linux 8 : postgresql:12 (ELSA-2026-4064)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-4064 advisory. - Add backport of CVE-2025-8714 Orabug: 38667546 - Fix CVE-2026-2004 CVE-2026-2005 CVE-2026-2006 - Backport CVE-2025-8715 - Fix backport for...

AlmaLinux 9 : postgresql (ALSA-2026:3730)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:3730 advisory. postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code CVE-2026-2006 postgresql: PostgreSQL intarray missing...