cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2025-1094,https://securityvulnerability.io/vulnerability/CVE-2025-1094,SQL Injection Vulnerability in PostgreSQL libpq Functions and Command Line Utilities,"This vulnerability arises from improper handling of quoting syntax in PostgreSQL libpq functions, which can allow SQL injection through specific usage patterns. Attackers can leverage this flaw when application input from these functions is used improperly, especially in the construction of commands for psql, the PostgreSQL interactive terminal. Additionally, the improper neutralization of quoting can also impact command line utility operations when certain encoding configurations are specified, making it a relevant threat for versions prior to PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19.",PostgreSQL,Postgresql,8.1,HIGH,0.0004299999854993075,false,,true,false,true,2025-02-14T05:03:12.000Z,true,true,false,,2025-02-13T13:00:02.061Z,7485
CVE-2024-10979,https://securityvulnerability.io/vulnerability/CVE-2024-10979,Unprivileged User Can Execute Arbitrary Code via Environment Variables,"The PostgreSQL open-source database system has a high-severity security flaw (CVE-2024-10979) that allows unprivileged users to alter environment variables, potentially leading to code execution or information disclosure. This vulnerability could enable an attacker to execute arbitrary code by modifying environment variables such as PATH, or extract valuable information by running malicious queries. Exploitation has not been reported, and the issue has been addressed in PostgreSQL versions 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Users are advised to update their systems to prevent potential code execution and data breaches.",PostgreSQL,Postgresql,8.8,HIGH,0.000699999975040555,false,,true,false,true,2024-11-15T16:51:27.000Z,,false,false,,2024-11-14T13:15:00.000Z,223
CVE-2024-7348,https://securityvulnerability.io/vulnerability/CVE-2024-7348,Attackers Can Execute Arbitrary SQL Functions via Time-of-check Time-of-use Race Condition in PostgreSQL's pg_dump,"The vulnerability identified as CVE-2024-7348 in the PostgreSQL database system allows attackers to execute arbitrary SQL functions, posing a significant security risk, particularly for superusers running the pg_dump utility. This is a Time-of-check Time-of-use (TOCTOU) race condition that can be exploited by replacing relation types with a view or foreign table. The attack is particularly easy to win if the attacker maintains an open transaction. Systems running PostgreSQL versions prior to 16.4, 15.8, 14.13, 13.16, and 12.20 are affected, and the PostgreSQL project has released patches for these versions. It is important for users to update their systems promptly to mitigate the risk of unauthorized SQL function execution. The vulnerability has been assigned a high severity rating due to its potential confidentiality, integrity, and availability impacts. The attack has not been exploited in the wild, and there is no evidence of ransomware groups targeting this vulnerability.",PostgreSQL,Postgresql,7.5,HIGH,0.0005000000237487257,false,,true,false,false,,,false,false,,2024-08-08T13:15:00.000Z,0
CVE-2024-0985,https://securityvulnerability.io/vulnerability/CVE-2024-0985,Late Privilege Drop Vulnerability in PostgreSQL Allows Arbitrary SQL Execution,"A late privilege drop vulnerability in the REFRESH MATERIALIZED VIEW CONCURRENTLY command of PostgreSQL can be exploited by an object creator to execute arbitrary SQL functions under the privileges of the command issuer. This vulnerability compromises the intended safety of refreshing untrusted materialized views, placing superusers or users with assigned roles at risk if they are manipulated into executing specific commands on the attacker's materialized view. Versions of PostgreSQL prior to 16.2, 15.6, 14.11, 13.14, and 12.18 may be particularly vulnerable, necessitating immediate security measures for affected installations.",PostgreSQL,Postgresql,8,HIGH,0.00171999994199723,false,,true,false,false,,,false,false,,2024-02-08T13:00:02.411Z,0
CVE-2023-2454,https://securityvulnerability.io/vulnerability/CVE-2023-2454,Arbitrary Code Execution Vulnerability in PostgreSQL by Red Hat,"A specific vulnerability in PostgreSQL allows authenticated attackers with elevated database-level privileges to execute arbitrary code. The issue arises when certain database calls bypass protective changes to the search_path, potentially compromising the database's integrity. This could lead to unauthorized actions within the database, thereby representing a significant risk for systems that rely on this database management system.",Postgresql,postgresql,7.2,HIGH,0.004470000043511391,false,,false,false,false,,,false,false,,2023-06-09T00:00:00.000Z,0
CVE-2022-4223,https://securityvulnerability.io/vulnerability/CVE-2022-4223,Improperly Secured API in pgAdmin Affects PostgreSQL Path Validation,"The pgAdmin server incorporates an HTTP API designed to validate user-selected paths to PostgreSQL utilities, such as pg_dump and pg_restore. However, versions of pgAdmin prior to 6.17 have inadequately secured this API, allowing unauthenticated users to specify arbitrary paths. This weakness can lead to unexpected execution of executables from a defined path on the server, posing a significant risk to system integrity and data security.",Postgresql,Pgadmin4,8.8,HIGH,0.013199999928474426,false,,false,false,false,,,false,false,,2022-12-13T00:00:00.000Z,0
CVE-2022-1552,https://securityvulnerability.io/vulnerability/CVE-2022-1552,Privilege Escalation Vulnerability in PostgreSQL by PostgreSQL Global Development Group,"A flaw exists within PostgreSQL that allows a privileged user operating on another user's objects to sidestep essential protections during certain database commands. Commands like Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck may activate protections inadequately or too late. Consequently, an attacker with permissions to create non-temporary objects in a schema can execute arbitrary SQL functions with superuser rights, potentially compromising database integrity.",Postgresql,Postgresql,8.8,HIGH,0.0026100000832229853,false,,false,false,false,,,false,false,,2022-08-31T00:00:00.000Z,0
CVE-2022-2625,https://securityvulnerability.io/vulnerability/CVE-2022-2625,Arbitrary Code Execution Vulnerability in PostgreSQL by PostgreSQL Global Development Group,"This vulnerability in PostgreSQL allows an attacker with the required permissions to leverage the ability to create non-temporary objects in a schema. By luring or waiting for an administrator to create or update an affected extension, the attacker can gain the ability to execute arbitrary code with the same privileges as the victim role, potentially including superuser rights. Successful exploitation necessitates a strategic combination of user interaction and permission manipulation, making it crucial for users to apply timely updates and implement security best practices.",Postgresql,Postgresql,8,HIGH,0.002309999894350767,false,,false,false,false,,,false,false,,2022-08-18T00:00:00.000Z,0
CVE-2022-26520,https://securityvulnerability.io/vulnerability/CVE-2022-26520,File Manipulation Vulnerability in pgjdbc Driver Affecting Applications,"A vulnerability exists in the pgjdbc JDBC driver prior to version 42.3.3 that allows an attacker with control over the JDBC URL or properties to exploit the loggerFile and loggerLevel connection properties. This can result in the ability to write arbitrary files to the system, including creating executable JSP files within a Tomcat web root. While the vendor asserts that the risk lies with any application using the pgjdbc driver with untrusted connection properties, it highlights the importance of securing application configurations to prevent unauthorized file access and execution.",Postgresql,Postgresql Jdbc Driver,9.8,CRITICAL,0.0030499999411404133,false,,false,false,false,,,false,false,,2022-03-10T17:47:00.000Z,0
CVE-2021-23214,https://securityvulnerability.io/vulnerability/CVE-2021-23214,SQL Injection Vulnerability in PostgreSQL with Trust Authentication,"A vulnerability exists in the PostgreSQL database when configured with trust authentication alongside a client certificate requirement. This can allow a man-in-the-middle attacker to craft and inject arbitrary SQL queries during the initial connection setup. This occurs even with SSL certificate verification and encryption enabled, exposing users to significant risk if they do not secure their database instances properly.",Postgresql,Postgresql,8.1,HIGH,0.001970000099390745,false,,false,false,false,,,false,false,,2022-03-04T00:00:00.000Z,0
CVE-2022-21724,https://securityvulnerability.io/vulnerability/CVE-2022-21724,Unchecked Class Instantiation when providing Plugin Classes,"pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.",Postgresql,Postgresql Jdbc Driver,7,HIGH,0.00949000008404255,false,,false,false,false,,,false,false,,2022-02-02T11:48:52.000Z,0
CVE-2021-32027,https://securityvulnerability.io/vulnerability/CVE-2021-32027,SQL Injection Vulnerability in PostgreSQL Affecting Multiple Versions,"A security flaw exists within PostgreSQL that allows authenticated users to exploit missing bounds checks while modifying certain SQL array values. This vulnerability can lead to the injection of arbitrary bytes into a wide area of server memory, posing risks to data confidentiality, system integrity, and overall system availability. Users of PostgreSQL versions prior to 13.3, 12.7, 11.12, 10.17, and 9.6.22 should prioritize upgrading to mitigate potential threats.",Postgresql,Postgresql,8.8,HIGH,0.002460000105202198,false,,false,false,false,,,false,false,,2021-06-01T00:00:00.000Z,0
CVE-2019-10128,https://securityvulnerability.io/vulnerability/CVE-2019-10128,Local Code Execution Vulnerability in PostgreSQL by EnterpriseDB,"A security vulnerability exists in PostgreSQL versions prior to 11.3, which results from inadequate access control on the binary and data directories in the Windows installer provided by EnterpriseDB. This improper configuration permits local attackers to read sensitive files within the data directory, thus bypassing the read access restrictions enforced by the database. Moreover, in certain configurations, an attacker with an unprivileged Windows account can exploit this flaw to execute arbitrary code under the context of the PostgreSQL service, posing significant risks to system integrity.",Postgresql,Postgresql,7.8,HIGH,0.0004199999966658652,false,,false,false,false,,,false,false,,2021-03-19T19:15:11.000Z,0
CVE-2019-10127,https://securityvulnerability.io/vulnerability/CVE-2019-10127,PostgreSQL Windows Installer Security Flaw in Data Directory Access,"A security vulnerability in the Windows installer for PostgreSQL affects versions 11.x prior to 11.3, where the Access Control List (ACL) for both the binary installation and data directory remains open to inherited permissions. Consequently, an attacker with an unprivileged Windows or PostgreSQL account can exploit this flaw to execute arbitrary code or gain unauthorized access to sensitive data, bypassing the read access limitations enforced by the database. The vulnerability underscores the necessity for stricter ACL configurations to prevent potential data breaches and protect system integrity.",Postgresql,Postgresql,8.8,HIGH,0.00044999999227002263,false,,false,false,false,,,false,false,,2021-03-19T18:52:27.000Z,0
CVE-2020-25696,https://securityvulnerability.io/vulnerability/CVE-2020-25696,PostgreSQL psql Interactive Terminal Vulnerability in Multiple Versions,"A vulnerability in the psql interactive terminal of PostgreSQL prior to specified versions allows an attacker exploiting a compromised server to run arbitrary code under the operating system account that executes psql. This can severely compromise data confidentiality and integrity, as well as system availability. Users of affected versions should apply security updates promptly to mitigate the risk associated with this vulnerability.",Postgresql,Postgresql,7.5,HIGH,0.005419999826699495,false,,false,false,false,,,false,false,,2020-11-23T21:15:47.000Z,0
CVE-2020-25695,https://securityvulnerability.io/vulnerability/CVE-2020-25695,SQL Injection Vulnerability in PostgreSQL by PostgreSQL Global Development Group,"An identified vulnerability in PostgreSQL allows attackers with permissions to create non-temporary objects in at least one schema to execute arbitrary SQL functions as a superuser. This flaw compromises the data confidentiality, integrity, and availability of the system, posing significant risks to organizations that utilize this database management system. Users are advised to update to the latest versions to mitigate potential exploitation.",Postgresql,Postgresql,8.8,HIGH,0.0059899999760091305,false,,false,false,false,,,false,false,,2020-11-16T00:40:36.000Z,0
CVE-2020-25694,https://securityvulnerability.io/vulnerability/CVE-2020-25694,Man-in-the-Middle Vulnerability in PostgreSQL by PostgreSQL Global Development Group,"PostgreSQL versions prior to 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24 are susceptible to a flaw that could allow attackers to exploit weakened connection settings. This occurs when client applications drop security-critical connection parameters, potentially enabling a man-in-the-middle attack. As a result, sensitive data in transit could be intercepted, compromising both confidentiality and integrity, and threatening system availability.",Postgresql,Postgresql,8.1,HIGH,0.002090000081807375,false,,false,false,false,,,false,false,,2020-11-16T00:38:53.000Z,0
CVE-2020-10733,https://securityvulnerability.io/vulnerability/CVE-2020-10733,Arbitrary Code Execution in PostgreSQL Installer by PostgreSQL,"The PostgreSQL installer for versions 9.5 through 12 has a vulnerability that allows an attacker, with proper permissions, to place malicious executables in directories searched by the installer. Due to the lack of fully-qualified paths when invoking system-provided executables, this allows those malicious executables to take precedence, potentially leading to execution of arbitrary code with administrative privileges during the installation process.",Postgresql,Postgresql,7.3,HIGH,0.000539999979082495,false,,false,false,false,,,false,false,,2020-09-16T14:55:56.000Z,0
CVE-2020-14350,https://securityvulnerability.io/vulnerability/CVE-2020-14350,PostgreSQL Search Path Misconfiguration Vulnerability in Extensions,"Certain PostgreSQL extensions contain a misconfiguration within their installation scripts that fails to use the search_path securely. This flaw permits an attacker with sufficient privileges to manipulate an administrator into inadvertently executing a crafted script during the installation or update process. The affected versions span PostgreSQL 12.4, 11.9, 10.14, 9.6.19, and 9.5.23 and require immediate attention to mitigate potential exploitation.",Postgresql,Postgresql,7.3,HIGH,0.00044999999227002263,false,,false,false,false,,,false,false,,2020-08-24T12:42:45.000Z,0
CVE-2020-14349,https://securityvulnerability.io/vulnerability/CVE-2020-14349,SQL Command Injection Vulnerability in PostgreSQL Database,A vulnerability exists in PostgreSQL that could allow an authenticated attacker to manipulate the search_path during logical replication in order to execute arbitrary SQL commands within the replication user's context. This flaw emphasizes the importance of proper sanitization in database operations to protect against potential unauthorized actions.,Postgresql,Postgresql,7.1,HIGH,0.002940000034868717,false,,false,false,false,,,false,false,,2020-08-24T12:32:13.000Z,0
CVE-2020-13692,https://securityvulnerability.io/vulnerability/CVE-2020-13692,PostgreSQL JDBC Driver Vulnerability in PgJDBC,"The PostgreSQL JDBC Driver, also known as PgJDBC, is at risk of XML External Entity (XXE) injection due to improper handling of XML input in versions prior to 42.2.13. This flaw could allow an attacker to exploit the application’s parsing of XML data, potentially resulting in unauthorized access to sensitive data and services. It is recommended to update to version 42.2.13 or later to mitigate this vulnerability.",Postgresql,Postgresql Jdbc Driver,7.7,HIGH,0.010470000095665455,false,,false,false,false,,,false,false,,2020-06-04T15:07:37.000Z,0
CVE-2015-0241,https://securityvulnerability.io/vulnerability/CVE-2015-0241,Buffer Overflow Vulnerability in PostgreSQL Affects Multiple Versions,"The to_char function in PostgreSQL prior to version 9.0.19 and various other versions allows remote authenticated users to exploit improperly handled input. This can result in a denial of service condition due to crashes triggered by excessively large numeric formatting inputs or specially crafted timestamp templates, potentially leading to remote code execution through buffer overflow vulnerabilities.",Postgresql Global Development Group,Postgresql,8.8,HIGH,0.0036299999337643385,false,,false,false,false,,,false,false,,2020-01-27T15:29:37.000Z,0
CVE-2015-0242,https://securityvulnerability.io/vulnerability/CVE-2015-0242,Stack-Based Buffer Overflow Vulnerability in PostgreSQL on Windows,"A stack-based buffer overflow is present in the printf function implementations of PostgreSQL on Windows systems. This vulnerability permits remote authenticated users to exploit a flaw by utilizing floating point numbers with excessive precision, potentially leading to a denial of service due to application crashes or, in certain scenarios, allowing the execution of arbitrary code. The affected PostgreSQL versions range from pre-9.0.19 through several 9.1.x, 9.2.x, 9.3.x, and 9.4.x builds, making it crucial for users to upgrade to patched versions.",Postgresql Global Development Group,Postgresql,8.8,HIGH,0.0036299999337643385,false,,false,false,false,,,false,false,,2020-01-27T15:29:33.000Z,0
CVE-2015-0243,https://securityvulnerability.io/vulnerability/CVE-2015-0243,Buffer Overflow Vulnerability in PostgreSQL Affects Multiple Versions,"Multiple buffer overflow vulnerabilities in the contrib/pgcrypto component of PostgreSQL allow remote authenticated users to exploit unspecified vectors, potentially leading to a denial of service (crash) and the execution of arbitrary code. This affects multiple versions prior to specified releases, posing a significant security risk.",Postgresql Global Development Group,Postgresql,8.8,HIGH,0.0036700000055134296,false,,false,false,false,,,false,false,,2020-01-27T15:29:28.000Z,0
CVE-2015-0244,https://securityvulnerability.io/vulnerability/CVE-2015-0244,SQL Injection Vulnerability in PostgreSQL Database by PostgreSQL Global Development Group,"The vulnerability in PostgreSQL allows remote attackers to exploit improper error handling while reading protocol messages. By sending crafted binary data as a parameter, an attacker can trigger a loss of synchronization in the protocol, effectively causing part of the message to be processed as a new one. This can lead to unauthorized SQL command execution and potentially compromise the database integrity.",Postgresql Global Development Group,Postgresql,9.8,CRITICAL,0.0044999998062849045,false,,false,false,false,,,false,false,,2020-01-27T15:29:25.000Z,0