CVE-2026-41889: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in jackc pgx
CVE-2026-41889 is a low severity SQL injection vulnerability in the jackc pgx PostgreSQL driver for Go. The issue affects versions prior to 5. 9. 2 when using the non-default simple protocol with dollar quoted string literals containing text interpreted as placeholders. An attacker can control the value of such placeholders, potentially leading to SQL injection. This vulnerability has been patched in version 5. 9. 2. No known exploits are reported in the wild.
AI Analysis
Technical Summary
The vulnerability in jackc pgx (CVE-2026-41889) involves improper neutralization of special elements in SQL commands (CWE-89). Specifically, when using the non-default simple protocol and dollar quoted string literals in SQL queries, text that would normally be interpreted as placeholders outside string literals can be manipulated by an attacker if the placeholder value is controllable. This can lead to SQL injection attacks. The issue is resolved in pgx version 5.9.2.
Potential Impact
The impact is limited to SQL injection under specific conditions involving the non-default simple protocol and dollar quoted string literals. The CVSS 4.0 base score is 2.3 (low), indicating limited exploitability and impact. There are no known exploits in the wild, and the vulnerability requires attacker control over placeholder values with limited privileges.
Mitigation Recommendations
Upgrade to pgx version 5.9.2 or later where this vulnerability is patched. Since the vendor advisory indicates the issue is fixed in 5.9.2, applying this official fix is the recommended remediation. No other mitigations are specified or required.
CVE-2026-41889: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in jackc pgx
Description
CVE-2026-41889 is a low severity SQL injection vulnerability in the jackc pgx PostgreSQL driver for Go. The issue affects versions prior to 5. 9. 2 when using the non-default simple protocol with dollar quoted string literals containing text interpreted as placeholders. An attacker can control the value of such placeholders, potentially leading to SQL injection. This vulnerability has been patched in version 5. 9. 2. No known exploits are reported in the wild.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in jackc pgx (CVE-2026-41889) involves improper neutralization of special elements in SQL commands (CWE-89). Specifically, when using the non-default simple protocol and dollar quoted string literals in SQL queries, text that would normally be interpreted as placeholders outside string literals can be manipulated by an attacker if the placeholder value is controllable. This can lead to SQL injection attacks. The issue is resolved in pgx version 5.9.2.
Potential Impact
The impact is limited to SQL injection under specific conditions involving the non-default simple protocol and dollar quoted string literals. The CVSS 4.0 base score is 2.3 (low), indicating limited exploitability and impact. There are no known exploits in the wild, and the vulnerability requires attacker control over placeholder values with limited privileges.
Mitigation Recommendations
Upgrade to pgx version 5.9.2 or later where this vulnerability is patched. Since the vendor advisory indicates the issue is fixed in 5.9.2, applying this official fix is the recommended remediation. No other mitigations are specified or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-22T15:11:54.671Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fe0d85cbff5d8610fb995a
Added to database: 5/8/2026, 4:21:25 PM
Last enriched: 5/8/2026, 4:36:30 PM
Last updated: 5/8/2026, 5:37:11 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.