JLSEC-2026-54

See a problem?
Please try reporting it to the source first.

Source

https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-54.md

Import Source

https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-54.json

JSON Data

https://api.osv.dev/v1/vulns/JLSEC-2026-54

Upstream

CVE-2026-2004

Published

2026-04-03T13:27:15.647Z

Modified

2026-04-03T13:31:45.690095Z

Summary

[none]

Details

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Database specific

{
    "license": "CC-BY-4.0",
    "sources": [
        {
            "published": "2026-02-12T14:16:02.213Z",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-2004",
            "modified": "2026-02-20T19:53:53.960Z",
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2004",
            "id": "CVE-2026-2004",
            "imported": "2026-04-03T13:13:10.785Z"
        }
    ]
}

References

https://www.postgresql.org/support/security/CVE-2026-2004/

Affected packages

Julia / LibPQ_jll

Package

Name: LibPQ_jll
Purl: pkg:julia/LibPQ_jll?uuid=08be9ffa-1c94-5ee5-a977-46a84ec9b350

Affected ranges

Type: SEMVER
Events: Introduced

14.1.0+0

Fixed

16.13.0+0

Database specific

source

"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-54.json"