Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.3
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query,...
GHSA-j88v-2chj-qfwx
Summary
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a str...
What to do
- Update github.com jackc to version 5.9.2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| go | github.com | jackc |
< 5.9.2 Fix: upgrade to 5.9.2
|
| go | github.com | jackc | <= 4.18.3 |
| go | github.com | jackc | <= 3.6.2 |
| – | pgx_project | pgx |
< 5.9.2 cpe:2.3:a:pgx_project:pgx:*:*:*:*:*:go:*:* |
Original title
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query,...
Original description
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2.
ghsa CVSS4.0
2.3
Vulnerability type
CWE-89
SQL Injection
Published: 8 May 2026 · Updated: 29 May 2026 · First seen: 22 Apr 2026