DEBIAN-CVE-2026-6476

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-6476

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-6476.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-6476

Upstream

CVE-2026-6476

Published

2026-05-14T14:16:25.230Z

Modified

2026-05-25T10:00:13.793477253Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

SQL injection in PostgreSQL pgcreatesubscriber allows an attacker with pgcreatesubscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pgcreatesubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.

References

https://security-tracker.debian.org/tracker/CVE-2026-6476

Affected packages

Debian:13 / postgresql-17

Package

Name: postgresql-17
Purl: pkg:deb/debian/postgresql-17?arch=source&distro=trixie

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

17.10-0+deb13u1

Affected versions

17.*

17.5-1

17.6-0+deb13u1

17.6-1

17.7-0+deb13u1

17.8-0+deb13u1

17.9-0+deb13u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-6476.json"

Debian:14 / postgresql-18

Package

Name: postgresql-18
Purl: pkg:deb/debian/postgresql-18?arch=source&distro=forky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

18.4-1

Affected versions

18~~devel.*

18~~devel.20250318+g4078da6c478-1

18~~devel.20250331-1

18~~devel.20250405-1

18~~devel.20250421-1

18~~devel.20250502-1

Other

18~beta1-1

18~beta1+20250612-1

18~beta1+20250624-1

18~beta1+20250701-1

18~beta2-1

18~beta3-1

18~rc1-1

18~rc1-2

18~rc1-3

18.*

18.0-1

18.1-1

18.1-2

18.2-1

18.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-6476.json"