HIGH🇵🇱 Wersja polska

CVE-2026-2006

CVSS 8.8v3.1pub. 2026-02-12upd. 2026-06-30

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • PostgreSQL

    APP
    Postgresql
    14.0 – 14.21 (bez)15.0 – 15.16 (bez)16.0 – 16.12 (bez)17.0 – 17.8 (bez)18.0 – 18.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2015-0244CRITICAL9.8ten sam produkt

PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1...

CVE-2015-3166CRITICAL9.8ten sam produkt

The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x befor...

CVE-2019-10211CRITICAL9.8ten sam produkt

Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via bundled Ope...

CVE-2018-16850CRITICAL9.8ten sam produkt

postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE...

CVE-2018-1115CRITICAL9.1ten sam produkt

postgresql before versions 10.4, 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rot...