CVE-2026-6637HIGH 8.8EPSS p29.4%
CVE-2026-6637CVE-2026-6637
Description
Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Scoring
| CVSS 3.1 | 8.8 (HIGH) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| EPSS | 0.38% probability of exploitation · percentile 29.4% · 2026-06-19T12:03:05Z |
| Published | 2026-05-14 |
| Last modified | 2026-05-18 |
Underlying weaknesses· 2
References
2
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Weakness | Stack-based Buffer Overflowcwe-121 | 0% | live |
| Weakness | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-89 | 0% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.