VYPR

PostgreSQL

by PostgreSQL

Source repositories

CVEs (179)

  • CVE-2025-12817LowNov 13, 2025
    risk 0.20cvss 3.1epss 0.00

    Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then…

  • CVE-2025-8713LowAug 14, 2025
    risk 0.20cvss 3.1epss 0.00

    PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intended to hide. PostgreSQL maintains statistics for tables by sampling data…

  • CVE-2026-6638LowMay 14, 2026
    risk 0.17cvss 3.7epss 0.00

    SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major…

  • CVE-2019-9193Apr 1, 2019
    risk 0.10cvss epss 0.92

    In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused…

  • CVE-2013-1899Apr 4, 2013
    risk 0.07cvss epss 0.54

    Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary…

  • CVE-2007-3280Jun 19, 2007
    risk 0.05cvss epss 0.26

    The Database Link library (dblink) in PostgreSQL 8.1 implements functions via CREATE statements that map to arbitrary libraries based on the C programming language, which allows remote authenticated superusers to map and execute a function from any library, as demonstrated by…

  • CVE-2010-0733Mar 19, 2010
    risk 0.04cvss epss 0.07

    Integer overflow in src/backend/executor/nodeHash.c in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2, allows remote authenticated users to cause a denial of service (daemon crash) via a SELECT statement with many LEFT JOIN clauses, related to certain hashtable size…

  • CVE-2010-0442Feb 2, 2010
    risk 0.04cvss epss 0.13

    The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as…

  • CVE-2009-0922Mar 17, 2009
    risk 0.04cvss epss 0.10

    PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using…

  • CVE-2005-0245Feb 1, 2005
    risk 0.04cvss epss 0.14

    Buffer overflow in gram.y for PostgreSQL 8.0.0 and earlier may allow attackers to execute arbitrary code via a large number of arguments to a refcursor function (gram.y), which leads to a heap-based buffer overflow, a different vulnerability than CVE-2005-0247.

  • CVE-2000-1199Aug 31, 2001
    risk 0.03cvss epss 0.01

    PostgreSQL stores usernames and passwords in plaintext in (1) pg_shadow and (2) pg_pwd, which allows attackers with sufficient privileges to gain access to databases.

  • CVE-2020-25695Nov 16, 2020
    risk 0.02cvss epss 0.46

    A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a…

  • CVE-2024-10979Nov 14, 2024
    risk 0.01cvss epss 0.04

    Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating…

  • CVE-2019-10164Jun 26, 2019
    risk 0.01cvss epss 0.04

    PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary…

  • CVE-2015-3165May 28, 2015
    risk 0.01cvss epss 0.09

    Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will…

  • CVE-2009-3231Sep 17, 2009
    risk 0.01cvss epss 0.08

    The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password.

  • CVE-2026-2007Feb 12, 2026
    risk 0.00cvss epss 0.00

    Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation. …

  • CVE-2026-2006Feb 12, 2026
    risk 0.00cvss epss 0.01

    Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL…

  • CVE-2026-2005Feb 12, 2026
    risk 0.00cvss epss 0.01

    Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

  • CVE-2026-2004Feb 12, 2026
    risk 0.00cvss epss 0.01

    Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Page 3 of 9