JLSEC-2026-56 — Vulnetix

JLSEC-2026-56 PUBLISHED CVSS 9.300000190734863 CRITICAL

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
Julia	LibPQ_jll	14.1.0+0, 14.1.0+0

Timeline

Apr 3, 2026 CVE Published
Apr 3, 2026 CVE Updated

References

https://www.postgresql.org/support/security/CVE-2026-2006/ url

Open in Interactive Console →