CVE-2026-40906HIGH 8.8EPSS p32.2%

CVE-2026-40906CVE-2026-40906

Description

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.40% probability of exploitation · percentile 32.2% · 2026-06-19T12:03:05Z
Published2026-04-21
Last modified2026-05-13

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/electric-sql/electric/pull/4081
  2. https://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj
  3. https://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-69306
CVE
CVE-2026-21630
CVE
CVE-2026-3172
CVE
CVE-2026-27373
CVE
CVE-2026-26186
CVE
CVE-2026-2004
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.