汇总 PostgreSQL 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
常见弱点模式包括 路径处理缺陷、SQL 注入、输入验证问题与XXE,在 数据访问与数据存储 使用场景中可能带来 文件覆盖、数据泄露与异常行为 等风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2026-6638 | SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 3.7 | 0.02% | 2026-05-14 | 2026-05-18 |
| CVE-2026-6637 | Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Vers | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 8.8 | 0.04% | 2026-05-14 | 2026-05-18 |
| CVE-2026-6575 | Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 4.3 | 0.03% | 2026-05-14 | 2026-05-18 |
| CVE-2026-6479 | Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 7.5 | 0.02% | 2026-05-14 | 2026-05-18 |
| CVE-2026-6478 | Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 6.5 | 0.06% | 2026-05-14 | 2026-05-18 |
| CVE-2026-6477 | Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 8.8 | 0.04% | 2026-05-14 | 2026-05-18 |
| CVE-2026-6476 | SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 7.2 | 0.03% | 2026-05-14 | 2026-05-18 |
| CVE-2026-6475 | Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the fi | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 8.8 | 0.05% | 2026-05-14 | 2026-05-18 |
| CVE-2026-6474 | Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 4.3 | 0.03% | 2026-05-14 | 2026-05-18 |
| CVE-2026-6473 | Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 8.8 | 0.06% | 2026-05-14 | 2026-05-18 |
| CVE-2026-6472 | Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 5.4 | 0.03% | 2026-05-14 | 2026-05-18 |
| CVE-2026-42198 | pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust c | [email protected] | 7.5 | 0.02% | 2026-04-29 | 2026-05-01 |
| CVE-2026-2007 | Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation. PostgreSQL 18.1 and 18.0 are affected. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 8.2 | 0.02% | 2026-02-12 | 2026-02-20 |
| CVE-2026-2006 | Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 8.8 | 0.04% | 2026-02-12 | 2026-02-20 |
| CVE-2026-2005 | Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 8.8 | 0.03% | 2026-02-12 | 2026-02-20 |
| CVE-2026-2004 | Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 8.8 | 0.06% | 2026-02-12 | 2026-02-20 |
| CVE-2026-2003 | Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 4.3 | 0.02% | 2026-02-12 | 2026-02-20 |
| CVE-2025-49146 | pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requiremen | [email protected] | 8.2 | 0.01% | 2025-06-11 | 2025-10-06 |
| CVE-2024-10979 | Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 8.8 | 6.36% | 2024-11-14 | 2025-11-03 |
| CVE-2024-10978 | Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 4.2 | 0.61% | 2024-11-14 | 2025-11-03 |