CVE-2026-41889CRITICAL 9.8EPSS p27.3%

CVE-2026-41889CVE-2026-41889

Description

pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.36% probability of exploitation · percentile 27.3% · 2026-06-19T12:03:05Z
Published2026-05-08
Last modified2026-05-21

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da
  2. https://github.com/jackc/pgx/releases/tag/v5.9.2
  3. https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-1094
CVE
CVE-2025-60118
CVE
CVE-2026-33816
CVE
CVE-2026-7816
CVE
CVE-2026-33815
CVE
CVE-2026-2005
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.