CVE-2026-4190 JawherKl node-api-postgres user.js User.getAll sql injection

A vulnerability was detected in JawherKl node-api-postgres up to 2.5. This impacts the function User.getAll of the file models/user.js. The manipulation of the argument sort results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was...

npm heroku-env 命令注入漏洞

npm heroku-env is a package from npm USA. It is used to parse DATABASEURL from heroku configurations and split it into PG environment variables used by psql pgdump pgrestore and nodepostgres. A command injection vulnerability exists in all versions of heroku-env, which stems from the presence of...

Remote Code Execution (RCE)

node-postgres is vulnerable to remote code execution RCE attacks. The library does not properly escape the results field, allowing a malicious user to inject and execute arbitrary code...

Remote Code Execution

Overview Affected versions of pg contain a remote code execution vulnerability that occurs when the remote database or query specifies a crafted column name. There are two specific scenarios in which it is likely for an application to be vulnerable: 1. The application executes unsafe, user-suppli...