BIT-postgresql-2026-6637

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/postgresql/BIT-postgresql-2026-6637.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-postgresql-2026-6637

Aliases

CVE-2026-6637

Published

2026-05-18T05:53:10.665Z

Modified

2026-05-18T08:00:15.840763Z

Summary

PostgreSQL refint allows stack buffer overflow and SQL injection

Details

Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Database specific

{
    "severity": "High",
    "cpes": [
        "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*"
    ]
}

References

Affected packages

Bitnami / postgresql

Package

Name: postgresql
Purl: pkg:bitnami/postgresql

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

14.23.0

Introduced

15.0.0

Fixed

15.18.0

Introduced

16.0.0

Fixed

16.14.0

Introduced

17.0.0

Fixed

17.10.0

Introduced

18.0.0

Fixed

18.4.0

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/postgresql/BIT-postgresql-2026-6637.json"