SB20260420104 - SQL injection in PostgreSQL driver and toolkit for Go
Published: April 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) SQL injection (CVE-ID: CVE-2026-41889)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in the simple protocol query handling when processing SQL queries containing dollar quoted string literals with attacker-controllable placeholder-like text. A remote attacker can supply a crafted placeholder value to execute arbitrary SQL commands.
Exploitation requires use of the non-default simple protocol and a query pattern where placeholder parsing is confused by dollar quoted string literals.
Remediation
Install update from vendor's website.