PostgreSQL

By the Year

In 2026 there have been 6 vulnerabilities in PostgreSQL with an average score of 7.7 out of ten. Last year, in 2025 PostgreSQL had 9 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in PostgreSQL in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 2.68.

Recent PostgreSQL Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-2007	Feb 12, 2026	PostgreSQL Heap Buffer Overflow in pg_trgm (18.1,18.0) Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation. PostgreSQL 18.1 and 18.0 are affected.	PostgreSQL
CVE-2026-2005	Feb 12, 2026	Heap Buffer Overflow in PostgreSQL pgcrypto (pre 18.2/17.8/16.12/15.16/14.21) OS Exploit Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.	PostgreSQL
CVE-2026-2006	Feb 12, 2026	PostgreSQL Buffer Overrun via Char Valid. (18.2/17.8/16.12/15.16/14.21) Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.	PostgreSQL
CVE-2026-2004	Feb 12, 2026	PostgreSQL intarray RCE before 18.2/17.8/16.12/15.16/14.21 Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.	PostgreSQL
CVE-2026-2003	Feb 12, 2026	PostgreSQL <18.2 Improper oidvector Validation Server Memory Disclosure Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.	PostgreSQL
CVE-2026-1707	Feb 05, 2026	pgAdmin 9.11 Restore Key Bypass Enables Remote Exec pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore operation, extract the `\restrict` key in real time, and race the restore process by overwriting the restore script with a payload that re-enables meta-commands using `\unrestrict <key>`. This results in reliable command execution on the pgAdmin host during the restore operation.	pgAdmin
CVE-2025-12818	Nov 13, 2025	PostgreSQL libpq Int Wraparound OOB Allocation 13-17 Pre-18.1 Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.	PostgreSQL
CVE-2025-12817	Nov 13, 2025	PostgreSQL CREATE STATISTICS Auth Bypass Causing DoS 18.1 Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.	PostgreSQL
CVE-2025-8713	Aug 14, 2025	PostgreSQL <=16.10 / <=17.6 Optimizer Stats leak VIEW & RLS PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intended to hide. PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user could craft a leaky operator that bypassed view access control lists (ACLs) and bypassed row security policies in partitioning or table inheritance hierarchies. Reachable statistics data notably included histograms and most-common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this class of vulnerability, but this gap remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.	PostgreSQL
CVE-2025-8715	Aug 14, 2025	CVE-2025-8715: pg_dump Newline Code Injection (PG <17.6, <16.10, <15.14, <14.19, <13.22) Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.	PostgreSQL