SB20260420104 - SQL injection in PostgreSQL driver and toolkit for Go



SB20260420104 - SQL injection in PostgreSQL driver and toolkit for Go

Published: April 20, 2026

Security Bulletin ID SB20260420104
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) SQL injection (CVE-ID: CVE-2026-41889)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in the simple protocol query handling when processing SQL queries containing dollar quoted string literals with attacker-controllable placeholder-like text. A remote attacker can supply a crafted placeholder value to execute arbitrary SQL commands.

Exploitation requires use of the non-default simple protocol and a query pattern where placeholder parsing is confused by dollar quoted string literals.


Remediation

Install update from vendor's website.