CVE-2026-40906 Electric: SQL Injection via ORDER BY Parameter in Shape API

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the orderby parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted...

PT-2026-34173

Name of the Vulnerable Software and Affected Versions Electric versions 1.1.12 through 1.4.x Description The '/v1/shape' API in ElectricSQL contains an error-based SQL injection flaw. This occurs when the order by parameter is processed, allowing an authenticated user to execute crafted ORDER BY...