PostgreSQL PostgreSQL

  1. Vendors
  2. PostgreSQL

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any PostgreSQL product.

RSS Feeds for PostgreSQL security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in PostgreSQL products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by PostgreSQL Sorted by Most Security Vulnerabilities since 2018

PostgreSQL83 vulnerabilities
The PostgreSQL Database Server

PostgreSQL JDBC Driver8 vulnerabilities
The Java JDBC Driver for PostgreSQL Database Servers also known as pgjdbc

PostgreSQL pgAdmin5 vulnerabilities
pgAdmin is an administration tool for PostgreSQL databases

By the Year

In 2026 there have been 0 vulnerabilities in PostgreSQL. Last year, in 2025 PostgreSQL had 9 security vulnerabilities published. Right now, PostgreSQL is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 9 5.03
2024 11 6.66
2023 10 5.31
2022 13 7.54
2021 5 6.08
2020 8 7.54
2019 7 6.51
2018 9 8.11

It may take a day or so for new PostgreSQL vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent PostgreSQL Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-12818 Nov 13, 2025
PostgreSQL libpq Int Wraparound OOB Allocation 13-17 Pre-18.1 Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.
PostgreSQL
CVE-2025-12817 Nov 13, 2025
PostgreSQL CREATE STATISTICS Auth Bypass Causing DoS 18.1 Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.
PostgreSQL
CVE-2025-8714 Aug 14, 2025
PostgreSQL < 17.6: pg_dump Untrusted Data Inclusion Exec Vulnerability Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
PostgreSQL
CVE-2025-8713 Aug 14, 2025
PostgreSQL <=16.10 / <=17.6 Optimizer Stats leak VIEW & RLS PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intended to hide. PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user could craft a leaky operator that bypassed view access control lists (ACLs) and bypassed row security policies in partitioning or table inheritance hierarchies. Reachable statistics data notably included histograms and most-common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this class of vulnerability, but this gap remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
PostgreSQL
CVE-2025-8715 Aug 14, 2025
CVE-2025-8715: pg_dump Newline Code Injection (PG <17.6, <16.10, <15.14, <14.19, <13.22) Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.
PostgreSQL
CVE-2025-1709 Jul 03, 2025
Plain Text Credentials Stored in Local PostgreSQL Database Several credentials for the local PostgreSQL database are stored in plain text (partially base64 encoded).
PostgreSQL
CVE-2025-4207 May 08, 2025
PostgreSQL GB18030 Buffer Over-read (before 17.5/16.9/15.13/14.18/13.21) Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected.
PostgreSQL
CVE-2025-2946 Apr 03, 2025
pgAdmin <=9.1 XSS via Query Result Rendering pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute any arbitrary HTML/JavaScript in a user's browser through query result rendering, then HTML/JavaScript runs on the browser.
pgAdmin
CVE-2025-1094 Feb 13, 2025
PostgreSQL <=17.3 Improper quoting in libpq PQescape* causes SQLi Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
PostgreSQL
CVE-2024-10976 Nov 14, 2024
PostgreSQL Row Security Policy Misapplication Vulnerability Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
PostgreSQL
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.