512 matches found
The vulnerability of the pg_dump utility in the PostgreSQL database management system allows a hacker to execute arbitrary code.
The vulnerability of the pgdump utility in the PostgreSQL database management system is related to the inclusion of functions from an unverified and uncontrolled area. Exploiting this vulnerability could allow a malicious actor to execute arbitrary code remotely...
CVE-2026-54760 Langroid: SQLChatAgent dangerous-function blocklist can be bypassed with quoted or schema-qualified pg_read_file calls
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.1, the SQLChatAgent SQL-injection mitigation, with default allowdangerousoperations=False, combines a raw-text regex blocklist DANGEROUSSQLPATTERNS with a sqlglot SELECT-only statement allowlist...
Malicious code in mcp-server-pg (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 22d68bdfced357622e33e4608bd35ded4d8988ea6dc7da073b3a83075978815d On npm install, scripts/postinstall.js unconditionally reads a range of installer-owned identity and configuration files and POSTs a JSON payload to ...
MAL-2026-6922 Malicious code in mcp-server-pg (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 22d68bdfced357622e33e4608bd35ded4d8988ea6dc7da073b3a83075978815d On npm install, scripts/postinstall.js unconditionally reads a range of installer-owned identity and configuration files and POSTs a JSON payload to ...
GHSA-PMCH-G965-GRMR Langroid: SQLChatAgent _validate_query blocklist misses pg_read_file family enabling arbitrary file read
Summary SQLChatAgent in langroid ships a validatequery defense-in-depth layer whose DANGEROUSSQLPATTERNS regex blocklist enumerates dangerous SQL primitives by specific function name. The list misses the canonical PostgreSQL filesystem-disclosure family pgreadfile, pgstatfile, pglslogdir,...
postgresql: PostgreSQL libpq: Buffer overflow allows server superuser to overwrite client stack memory
A flaw was found in PostgreSQL libpq. A server superuser can exploit a buffer overflow vulnerability in the PQfn function, which is used by client functions such as loexport, loread, lolseek64, and lotell64. This allows the superuser to send an arbitrarily large response, overwriting the client's...
ruby:3.3 security update
An update is available for module.ruby, module.rubygem-mysql2, module.rubygem-pg, rubygem-mysql2, ruby, rubygem-pg. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE li...
[SECURITY] Fedora 44 Update: pgadmin4-9.16-1.fc44
pgAdmin is the most popular and feature rich Open Source administration and d evelopment platform for PostgreSQL, the most advanced Open Source database in the world...
Oracle Linux 9 : postgresql:15 (ELSA-2026-28037)
The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-28037 advisory. pgaudit 1.7.0-1 - Initial import for postgresql 15 module - Update to 1.7.0 - Support postgresql 15 - Related: 2128410 pgrepack 1.4.8-2 - Add new buil...
postgresql: PostgreSQL: Operating system account hijack via symlink following in pg_basebackup and pg_rewind
A flaw was found in PostgreSQL. This vulnerability, related to symlink following in pgbasebackup plain format and pgrewind, allows an origin superuser to overwrite local files. By exploiting this, an attacker could potentially hijack the operating system account. This attack has practical...
postgresql: PostgreSQL: Operating system account hijack via symlink following in pg_basebackup and pg_rewind
A flaw was found in PostgreSQL. This vulnerability, related to symlink following in pgbasebackup plain format and pgrewind, allows an origin superuser to overwrite local files. By exploiting this, an attacker could potentially hijack the operating system account. This attack has practical...
Malicious code in @mastra/pg (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3a70008c61b1e4ef205086d9fbbeb0435c8cee10e414626617fec6b946d45c84 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
MAL-2026-5959 Malicious code in @mastra/pg (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3a70008c61b1e4ef205086d9fbbeb0435c8cee10e414626617fec6b946d45c84 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
MiracleLinux 8 : ruby:3.3 (AXSA:2026-769:01)
The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2026-769:01 advisory. erb: ERB: Arbitrary code execution via deserialization bypass CVE-2026-41316 Tenable has extracted the preceding description block directly from the...
CLEANSTART-2026-BE05060 Security fixes for CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-39821, CVE-2026-42502, CVE-2026-42506 applied in versions: 1.29.1-r0
Multiple security vulnerabilities affect the cloudnative-pg package. These issues are resolved in later releases. See references for individual vulnerability details...
CVE-2026-6476
SQL injection in PostgreSQL pgcreatesubscriber allows an attacker with pgcreatesubscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pgcreatesubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected...
CVE-2026-6475
A flaw was found in PostgreSQL. This vulnerability, related to symlink following in pgbasebackup plain format and pgrewind, allows an origin superuser to overwrite local files. By exploiting this, an attacker could potentially hijack the operating system account. This attack has practical...
CVE-2026-44477
CVE-2026-44477 affects CloudNativePG prior to 1.29.1 and 1.28.3. The metrics exporter opens a PostgreSQL connection as the superuser and demotes to pg_monitor with SET ROLE, but the session_user remains postgres. Any SQL in the scrape session can call RESET ROLE to recover superuser privileges, t...
ruby:4.0 security update
An update is available for module.ruby, module.rubygem-mysql2, module.rubygem-pg, rubygem-mysql2, ruby, rubygem-pg. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE li...
ruby:3.3 security update
ruby 3.3.10-6 - Fix arbitrary code execution via deserialization bypass in ERB. CVE-2026-41316 Resolves: RHEL-171247 rubygem-abrt 0.4.0-1 - Update to abrt 0.4.0. Resolves: rhbz1842476 rubygem-mysql2 0.5.5-1 - Upgrade to mysql2 0.5.5. Related: RHEL-17090 rubygem-pg 1.5.4-1 - Upgrade to pg 1.5.4...