CVE-2026-29090

Rucio contains a SQL injection in FilterEngine.create_postgres_query() when the postgres_meta metadata plugin is configured. Attacker-controlled filter keys/values are interpolated into raw SQL via Python .format() and passed to psycopg3.sql.SQL(), enabling arbitrary SQL against the PostgreSQL me...

CVE-2026-29090 Rucio SQL injection in postgres_meta DID search path compromises PostgreSQL metadata database

Summary A SQL injection vulnerability exists in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, in FilterEngine.createpostgresquery. This allows any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database through the DID search endpoin...

GHSA-6J7P-QJHG-9947 Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API

Summary A SQL injection vulnerability in FilterEngine.createpostgresquery allows any authenticated Rucio user to execute arbitrary SQL against the configured PostgreSQL metadata database through the DID search endpoint GET /dids//dids/search. When the external metadata plugin postgresmeta is...

Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API

Summary A SQL injection vulnerability in FilterEngine.createpostgresquery allows any authenticated Rucio user to execute arbitrary SQL against the configured PostgreSQL metadata database through the DID search endpoint GET /dids//dids/search. When the external metadata plugin postgresmeta is...

SQL Injection

Overview rucio is a Rucio Package Affected versions of this package are vulnerable to SQL Injection via the createpostgresquery function when attacker-controlled filter keys and values are interpolated directly into raw SQL statements through the DID search endpoint. An attacker can execute...

PT-2026-38087

Summary A SQL injection vulnerability exists in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, in FilterEngine.create postgres query. This allows any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database through the DID search...

com.arcadedb:arcadedb-bolt (>=26.2.1 <=26.3.2), com.arcadedb:arcadedb-coverage (>=21.9.1 <=25.4.1) +10 more potentially affected by CVE-2026-44221 via com.arcadedb:arcadedb-server (>=21.10.1 <=26.3.2)

com.arcadedb:arcadedb-server MAVEN version =21.10.1, =26.2.1, =21.9.1, =21.12.1, =24.11.1, =25.9.1, =25.1.1, =21.9.1, =21.9.1, =21.9.1, =21.9.1, =25.11.1, =26.3.2 - io.github.mdre:adbogm =0.9.0.6 Source cves: CVE-2026-44221 Source advisory: OSV:GHSA-FXC7-FM93-6Q77...

EUVD-2026-26247

pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS...

Malicious code in @cap-js/postgres (npm)

Supply chain compromise of legitimate SAP packages published by threat actor "[email protected]" impersonating SAP toolchain maintainers. All four compromised packages share the same fingerprint: setup.mjs 4.4 KB and execution.js 11.1 MB bundled in the tarball, with a preinstall hook of "node...

MAL-2026-3177 Malicious code in @cap-js/postgres (npm)

Supply chain compromise of legitimate SAP packages published by threat actor "[email protected]" impersonating SAP toolchain maintainers. All four compromised packages share the same fingerprint: setup.mjs 4.4 KB and execution.js 11.1 MB bundled in the tarball, with a preinstall hook of "node...

OPENSUSE-SU-2026:10644-1 prometheus-postgres_exporter-0.10.1-6.1 on GA media

These are all security issues fixed in the prometheus-postgresexporter-0.10.1-6.1 package on the GA media of openSUSE Tumbleweed...

Veeam Backup and Replication 12.x < 12.3.2.4465 Multiple Vulnerabilities (KB4830)

The version of Veeam Backup and Replication installed on the remote Windows host is 12.x prior to 12.3.2.4465. It is, therefore, affected by multiple vulnerabilities, including: - A vulnerability allowing an authenticated domain user to perform remote code execution RCE on the Backup Server...

CVE-2026-40906

A flaw was found in ElectricSQL, a Postgres sync engine. An authenticated user could exploit an error-based SQL injection vulnerability in the /v1/shape API's orderby parameter. This flaw allows an attacker to read, write, and destroy the full contents of the underlying PostgreSQL database. Such ...

PT-2026-37159

Name of the Vulnerable Software and Affected Versions pgx versions prior to 5.9.2 Description SQL injection can occur when the non-default simple protocol is used in conjunction with a dollar quoted string literal in the SQL query. If that string literal contains text that would be interpreted as...

CVE-2026-40906 Electric: SQL Injection via ORDER BY Parameter in Shape API

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the orderby parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted...

Security update 5.1.3 for Multi-Linux Manager Client Tools

This update fixes the following issues: spacecmd: Version 5.1.13-0 Update translation strings uyuni-tools: Version 5.1.26-0 Fix applying PTF with images from RPMs bsc1252548 Ssl Key file can miss if CA password is blank bsc1254154 mgrpxy ssh tuning should happens before crypto policies bsc1254619...

OpenBao SQL注入漏洞

OpenBao is an open-source sensitive data management software developed by OpenBao. Versions of OpenBao prior to 2.5.3 had a SQL injection vulnerability. This vulnerability occurred when revoking role permissions in the PostgreSQL database key engine, where the correct database reference was not...

Security update for roundcubemail (important)

openSUSE security update: security update for roundcubemail ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20586-1 Rating: important References: bsc1261157 bsc1261488 Cross-References: CVE-2026-35537 Affected Products: openSUSE Leap 16.0...

Electric SQL注入漏洞

Electric is an open-source Postgres real-time data synchronization engine developed by Electric. Versions of Electric from 1.1.12 to 1.5.0 contained a SQL injection vulnerability. This vulnerability stemmed from the orderby parameter in the /v1/shape API, which allowed incorrect SQL injections...

Security update for roundcubemail (important)

openSUSE Security Update: Security update for roundcubemail Announcement ID: openSUSE-SU-2026:0141-1 Rating: important References: 1261157 1261488 Cross-References: CVE-2026-35537 Affected Products: openSUSE Backports SLE-15-SP7 An update that solves one vulnerability and has one errata is now...