CVE
CVE-2026-41889
pgx: SQL Injection via placeholder confusion with dollar quoted string literals
Impact
SQL Injection can occur when:
- The non-default simple protocol is used.
- A dollar quoted string literal is used in the SQL query.
- That string literal contains text that would be would be interpreted as a placeholder outside of a string literal.
- The value of that placeholder is controllable by the attacker.
e.g.
attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)This is unlikely to occur outside of a contrived scenario.
Patches
The problem is resolved in v5.9.2.
Workarounds
Do not use the simple protocol to execute queries matching all the above conditions.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
2.3
-
4.0
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-
Related Resources
No items found.
References
https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx, https://nvd.nist.gov/vuln/detail/CVE-2026-41889, https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da, https://github.com/jackc/pgx, https://github.com/jackc/pgx/releases/tag/v5.9.2
Basic Information
Ecosystem
