CVE-2026-49498EPSS p17.0%

CVE-2026-49498CVE-2026-49498

nsa / ghidra

Description

Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can inject SQL commands via crafted username parameters in PasswordChange network messages to escalate to PostgreSQL superuser privileges and gain full database control.

Scoring

CVSS 8.8 ()
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.26% probability of exploitation · percentile 17.0% · 2026-06-18T12:00:27Z
Last modified2026-06-11

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-52758
CVE
CVE-2025-59468
CVE
CVE-2026-52754
CVE
CVE-2026-52750
CVE
CVE-2025-1094
CVE
CVE-2026-2006
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.