SQL injection in PostgreSQL driver and toolkit for Go - #VU126575

 

SQL injection in PostgreSQL driver and toolkit for Go - #VU126575

Published: April 20, 2026


Vulnerability identifier: #VU126575
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Jack Christensen
Affected software:
PostgreSQL driver and toolkit for Go

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in the simple protocol query handling when processing SQL queries containing dollar quoted string literals with attacker-controllable placeholder-like text. A remote attacker can supply a crafted placeholder value to execute arbitrary SQL commands.

Exploitation requires use of the non-default simple protocol and a query pattern where placeholder parsing is confused by dollar quoted string literals.


Remediation

Install security update from vendor's website.

Sources