GO-2026-5004
- Source
- https://pkg.go.dev/vuln/GO-2026-5004
- Import Source
- https://vuln.go.dev/ID/GO-2026-5004.json
- JSON Data
- https://api.osv.dev/v1/vulns/GO-2026-5004
- Aliases
-
- CVE-2026-41889
- GHSA-j88v-2chj-qfwx
- Related
- Published
- 2026-06-22T18:40:49Z
- Modified
- 2026-06-25T18:45:14.963912684Z
- Summary
- SQL Injection via placeholder confusion with dollar quoted string literals in github.com/jackc/pgx
- Details
-
SQL Injection can occur when using the non-default simple protocol with a dollar quoted string literal in the SQL query. If that string literal contains text that would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker, an injection may be possible.
For example, an attacker could provide a value that includes a closing dollar quote followed by malicious SQL commands. This is unlikely to occur outside of a contrived scenario.
- Database specific
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2026-5004" }- References
- Credits
-
-
- Jack Christensen
-
Affected packages
Go / github.com/jackc/pgx
Package
- Name
- github.com/jackc/pgx
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/jackc/pgx
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Go / github.com/jackc/pgx/v4
Package
- Name
- github.com/jackc/pgx/v4
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/jackc/pgx/v4
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Go / github.com/jackc/pgx/v5
Package
- Name
- github.com/jackc/pgx/v5
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/jackc/pgx/v5
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.9.2