SQL injection in PostgreSQL driver and toolkit for Go - #VU126575
Published: April 20, 2026
PostgreSQL driver and toolkit for Go
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in the simple protocol query handling when processing SQL queries containing dollar quoted string literals with attacker-controllable placeholder-like text. A remote attacker can supply a crafted placeholder value to execute arbitrary SQL commands.
Exploitation requires use of the non-default simple protocol and a query pattern where placeholder parsing is confused by dollar quoted string literals.