Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.3
CVE-2026-41889: SQL Injection in pgx PostgreSQL Driver for Go
CVE-2026-41889
Summary
The pgx PostgreSQL driver for Go has a security issue that allows attackers to inject malicious SQL code. This can happen when using a non-standard PostgreSQL protocol and a specific type of SQL query. To fix this, update to version 5.9.2 or later of the pgx driver.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| pgx_project | pgx |
< 5.9.2 cpe:2.3:a:pgx_project:pgx:*:*:*:*:*:go:*:* |
Original title
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query,...
Original description
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2.
nvd CVSS4.0
2.3
Vulnerability type
CWE-89
SQL Injection
Published: 8 May 2026 · Updated: 23 May 2026 · First seen: 8 May 2026