PostgreSQL Emergency Patches Land

PostgreSQL ships emergency patches for four critical bugs that enable full server compromise. The PostgreSQL Global Development Group released updates addressing CVE-2026-6473, CVE-2026-6475, CVE-2026-6477, and CVE-2026-6637, a quartet of high-severity vulnerabilities that collectively allow unprivileged database users or a rogue superuser to achieve remote code execution and OS-level file hijacking. CVE-2026-6473 is an integer-wraparound bug in multiple server features that lets an unprivileged user trigger undersized allocations and out-of-bounds writes, potentially executing arbitrary code as the OS user running the database. CVE-2026-6475 is a symlink-following flaw in pg_basebackup (plain format) and pg_rewind that enables an origin superuser to overwrite local files like .bashrc, hijacking the OS account. CVE-2026-6477 abuses the inherently dangerous PQfn() function in libpq's lo_export(), lo_read(), lo_lseek64(), and lo_tell64() to let a server superuser overwrite a client stack buffer with arbitrary data. CVE-2026-6637 is a stack buffer overflow in the "refint" module allowing an unprivileged user to execute code as the database OS user. As Dark Reading reported, one of these bugs was discovered via an AI-assisted code scan that surfaced a nine-year-old latent vulnerability. All PostgreSQL versions should be updated immediately.

ChurchCRM's incomplete patch fix leaves a critical pre-auth RCE open at CVSS 10.0. CVE-2026-42288 carries a perfect 10.0 CVSS score and affects ChurchCRM versions prior to 7.3.2. The vulnerability is an incomplete fix for CVE-2026-39337 — the setup wizard's DB_PASSWORD parameter remains unsanitized, allowing unauthenticated remote attackers to inject arbitrary code before authentication is even required. ChurchCRM is widely deployed by religious organizations that may lack dedicated security teams, making this a prime target for opportunistic exploitation. Rapid7 noted in their Metasploit Wrap-Up that the original bug was already weaponized; this bypass means existing Metasploit modules likely need only minor tweaks. Organizations running ChurchCRM should upgrade to 7.3.2 immediately and consider isolating the setup wizard behind network controls.

FleetDM patches a critical RCE in its software installer pipeline affecting macOS, Linux, and Windows. CVE-2026-26191 (CVSS 9.8) impacts FleetDM versions prior to 4.81.0, the open-source device management platform. A crafted software package can execute arbitrary commands as root on macOS/Linux or SYSTEM on Windows through a flaw in Fleet's software installer pipeline. Given FleetDM's role in managing fleets of endpoints — often in enterprise MDM and IT operations contexts — successful exploitation would give attackers full control over every managed device. No public PoC has been reported yet, but the CVSS 9.8 rating and the privileged execution context make this an urgent patch for any organization running FleetDM.

Gotenberg discloses two critical bugs — metadata injection and filter bypass — both at CVSS 9.8. CVE-2026-42589 and CVE-2026-42596 affect Gotenberg versions prior to 8.31.0, the popular Docker-powered PDF generation API. CVE-2026-42589 allows command injection via the /forms/pdfengines/metadata/write endpoint, which passes unsanitized JSON metadata keys directly to ExifTool through the go-exiftool library. CVE-2026-42596 is a bypass of the default deny-lists in Gotenberg's downloadFrom and webhook features — the regex-based, case-sensitive filter can be evaded by an unauthenticated attacker. Gotenberg is commonly deployed in document-processing pipelines and is often exposed internally or even publicly. Both bugs require no authentication, and the metadata injection in particular gives attackers a path to server-side code execution through a widely-used PDF utility.

Espressif arduino-esp32 WebServer flaw enables stack-based RCE on millions of IoT devices. CVE-2026-42854 (CVSS 9.8) affects arduino-esp32 versions prior to 3.3.8, the Arduino core for ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6, and ESP32-H2 microcontrollers. The WebServer multipart form parser allocates a Variable Length Array (VLA) on the stack without proper bounds checking, allowing an attacker to trigger stack corruption and achieve remote code execution. Given the ESP32's ubiquity in consumer IoT, industrial sensors, and smart-home products, the real-world attack surface is enormous. While exploitation requires the device to be running the WebServer component with multipart form parsing enabled, that configuration is extremely common in ESP32-based projects. Developers should update to arduino-esp32 3.3.8 and audit any deployed firmware using the affected library.

MongoDB time-series collection bug allows authenticated OOB write, plus a wave of legacy OT/IoT CVEs surface. CVE-2026-8053 (CVSS 8.8) affects MongoDB Server's time-series collection implementation, where an inconsistency in internal index handling lets an authenticated user with database write privileges trigger an out-of-bounds memory write in the mongod process. Separately, a cluster of critical-severity legacy vulnerabilities were published today affecting industrial and network-edge products: CVE-2021-3854 (SQLi in Useroam Hotspot, CVSS 9.8), CVE-2021-4105 (remote code inclusion in BG-TEK COSLAT Firewall, CVSS 9.8), CVE-2022-4557 and CVE-2022-45088 (SQLi and LFI in Group Arge Smartpower Web, both CVSS 9.8), CVE-2021-3825 (LDAP credential leak in LiderAhenk, CVSS 9.6), and CVE-2021-3855 (command injection in Liman MYS, CVSS 8.8). These are years-old unpatched flaws in OT, ISP, and building-management systems that attackers are likely already aware of — treat them as actively targeted and prioritize network segmentation and access controls where patching is not feasible.