Bitnami package

postgresql

pkg:bitnami/postgresql

Vulnerabilities (58)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-6638	Low	3.7	>= 16.0.0, < 16.14.0	16.14.0	May 14, 2026	SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major vers
CVE-2026-6637	Hig	8.8	< 14.23.0	14.23.0	May 14, 2026	Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary
CVE-2026-6575	Med	4.3	>= 18.0.0, < 18.4.0	18.4.0	May 14, 2026	Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor ve
CVE-2026-6479	Hig	7.5	< 14.23.0	14.23.0	May 14, 2026	Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions b
CVE-2026-6478	Med	6.5	< 14.23.0	14.23.0	May 14, 2026	Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may
CVE-2026-6477	Hig	8.8	< 14.23.0	14.23.0	May 14, 2026	Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., resu
CVE-2026-6476	Hig	7.2	>= 17.0.0, < 17.10.0	17.10.0	May 14, 2026	SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and
CVE-2026-6475	Hig	8.8	< 14.23.0	14.23.0	May 14, 2026	Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implic
CVE-2026-6474	Med	4.3	< 14.23.0	14.23.0	May 14, 2026	Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6473	Hig	8.8	< 14.23.0	14.23.0	May 14, 2026	Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gi
CVE-2026-6472	Med	5.4	< 14.23.0	14.23.0	May 14, 2026	Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Version
CVE-2026-2007		—	>= 18.0.0, < 18.2.0	18.2.0	Feb 12, 2026	Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation.
CVE-2026-2006		—	< 14.21.0	14.21.0	Feb 12, 2026	Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL
CVE-2026-2005		—	< 14.21.0	14.21.0	Feb 12, 2026	Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
CVE-2026-2004		—	< 14.21.0	14.21.0	Feb 12, 2026	Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
CVE-2026-2003		—	< 14.21.0	14.21.0	Feb 12, 2026	Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before Po
CVE-2025-12818	Med	5.9	< 13.23.0	13.23.0	Nov 13, 2025	Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application usin
CVE-2025-12817	Low	3.1	< 13.23.0	13.23.0	Nov 13, 2025	Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail.
CVE-2025-8715	Hig	8.8	>= 11.20.0, < 13.22.0	13.22.0	Aug 14, 2025	Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name
CVE-2025-8714	Hig	8.8	< 13.22.0	13.22.0	Aug 14, 2025	Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected.

CVE-2026-6638LowMay 14, 2026
affected >= 16.0.0, < 16.14.0fixed 16.14.0
SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major vers
CVE-2026-6637HigMay 14, 2026
affected < 14.23.0fixed 14.23.0
Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary
CVE-2026-6575MedMay 14, 2026
affected >= 18.0.0, < 18.4.0fixed 18.4.0
Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor ve
CVE-2026-6479HigMay 14, 2026
affected < 14.23.0fixed 14.23.0
Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions b
CVE-2026-6478MedMay 14, 2026
affected < 14.23.0fixed 14.23.0
Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may
CVE-2026-6477HigMay 14, 2026
affected < 14.23.0fixed 14.23.0
Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., resu
CVE-2026-6476HigMay 14, 2026
affected >= 17.0.0, < 17.10.0fixed 17.10.0
SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and
CVE-2026-6475HigMay 14, 2026
affected < 14.23.0fixed 14.23.0
Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implic
CVE-2026-6474MedMay 14, 2026
affected < 14.23.0fixed 14.23.0
Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6473HigMay 14, 2026
affected < 14.23.0fixed 14.23.0
Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gi
CVE-2026-6472MedMay 14, 2026
affected < 14.23.0fixed 14.23.0
Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Version
CVE-2026-2007Feb 12, 2026
affected >= 18.0.0, < 18.2.0fixed 18.2.0
Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation.
CVE-2026-2006Feb 12, 2026
affected < 14.21.0fixed 14.21.0
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL
CVE-2026-2005Feb 12, 2026
affected < 14.21.0fixed 14.21.0
Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
CVE-2026-2004Feb 12, 2026
affected < 14.21.0fixed 14.21.0
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
CVE-2026-2003Feb 12, 2026
affected < 14.21.0fixed 14.21.0
Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before Po
CVE-2025-12818MedNov 13, 2025
affected < 13.23.0fixed 13.23.0
Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application usin
CVE-2025-12817LowNov 13, 2025
affected < 13.23.0fixed 13.23.0
Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail.
CVE-2025-8715HigAug 14, 2025
affected >= 11.20.0, < 13.22.0fixed 13.22.0
Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name
CVE-2025-8714HigAug 14, 2025
affected < 13.22.0fixed 13.22.0
Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected.

Page 1 of 3