Pgbouncer
Products
1- 10 CVEs
Recent CVEs
10| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-6665 | Hig | 0.46 | 8.1 | 0.00 | May 9, 2026 | The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow. | ||
| CVE-2015-6817 | Hig | 0.46 | 8.1 | 0.02 | May 23, 2017 | PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user via an unknown username. | ||
| CVE-2026-6664 | Hig | 0.42 | 7.5 | 0.01 | May 9, 2026 | An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet. | ||
| CVE-2015-4054 | Hig | 0.42 | 7.5 | 0.04 | May 23, 2017 | PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by sending a password packet before a startup packet. | ||
| CVE-2026-6666 | Med | 0.31 | 5.9 | 0.00 | May 9, 2026 | A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE field. | ||
| CVE-2026-6667 | Med | 0.21 | 4.3 | 0.00 | May 9, 2026 | PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed… | ||
| CVE-2025-12819 | 0.00 | — | 0.00 | Dec 3, 2025 | Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage. | |||
| CVE-2025-2291 | 0.00 | — | 0.00 | Apr 16, 2025 | Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password | |||
| CVE-2021-3935 | 0.00 | — | 0.01 | Nov 22, 2021 | When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. This flaw affects PgBouncer versions prior to 1.16.1. | |||
| CVE-2012-4575 | 0.00 | — | 0.02 | Nov 18, 2012 | The add_database function in objects.c in the pgbouncer pooler 1.5.2 for PostgreSQL allows remote attackers to cause a denial of service (daemon outage) via a long database name in a request. |
- risk 0.46cvss 8.1epss 0.00
The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow.
- risk 0.46cvss 8.1epss 0.02
PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user via an unknown username.
- risk 0.42cvss 7.5epss 0.01
An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet.
- risk 0.42cvss 7.5epss 0.04
PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by sending a password packet before a startup packet.
- risk 0.31cvss 5.9epss 0.00
A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE field.
- risk 0.21cvss 4.3epss 0.00
PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed…
- CVE-2025-12819Dec 3, 2025risk 0.00cvss —epss 0.00
Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.
- CVE-2025-2291Apr 16, 2025risk 0.00cvss —epss 0.00
Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password
- CVE-2021-3935Nov 22, 2021risk 0.00cvss —epss 0.01
When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. This flaw affects PgBouncer versions prior to 1.16.1.
- CVE-2012-4575Nov 18, 2012risk 0.00cvss —epss 0.02
The add_database function in objects.c in the pgbouncer pooler 1.5.2 for PostgreSQL allows remote attackers to cause a denial of service (daemon outage) via a long database name in a request.