postgresql · threatengine.sh

CVE-2026-6638

>= 16.0 and < 16.14

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to ex

3.7LOW

CVE-2026-6637

< 14.23

Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operatin

8.8HIGH

CVE-2026-6575

>= 18.0 and < 18.4

Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query

4.3MEDIUM

CVE-2026-6479

< 14.23

Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to

7.5HIGH

CVE-2026-6478

< 14.23

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credent

6.5MEDIUM

CVE-2026-6477

< 14.23

Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and

8.8HIGH

CVE-2026-6476

>= 17.0 and < 17.10

SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as

7.2HIGH

CVE-2026-6475

< 14.23

Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e

8.8HIGH

CVE-2026-6474

< 14.23

Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, v

4.3MEDIUM

CVE-2026-6473

< 14.23

Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an

8.8HIGH

CVE-2026-6472

< 14.23

Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user

5.4MEDIUM

CVE-2026-42198

>= 42.2.0 and < 42.7.11

pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-s

7.5HIGH

CVE-2026-2007

>= 18.0 and < 18.2

Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The atta

8.2HIGH

CVE-2026-2006

>= 14.0 and < 14.21

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries t

8.8HIGH

CVE-2026-2005

>= 14.0 and < 14.21

Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user ru

8.8HIGH

CVE-2026-2004

>= 14.0 and < 14.21

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to ex

8.8HIGH

CVE-2026-2003

>= 14.0 and < 14.21

Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have no

4.3MEDIUM

CVE-2025-49146

>= 42.7.4 and < 42.7.7

pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with

8.2HIGH

CVE-2024-10979

>= 12.0 and < 12.21

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process

8.8HIGH

CVE-2024-10978

>= 12.0 and < 12.21

Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those

4.2MEDIUM

CVE-2024-10977

>= 12.0 and < 12.21

Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrar

3.1LOW

CVE-2024-10976

>= 12.0 and < 12.21

Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those in

4.2MEDIUM

CVE-2024-7348

>= 12.0 and < 12.20

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL funct

8.8HIGH

CVE-2024-4317

>= 14.0 and < 14.12

Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to rea

3.1LOW

CVE-2024-1597

< 42.2.28

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. I

10.0CRITICAL

CVE-2024-0985

>= 12.0 and < 12.18

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL func

8.0HIGH

CVE-2023-5870

>= 11.0 and < 11.22

A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replica

2.2LOW

CVE-2023-5869

>= 11.0 and < 11.22

A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks

8.8HIGH

CVE-2023-5868

>= 11.0 and < 11.22

A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting c

4.3MEDIUM

CVE-2020-21469

all versions

An issue was discovered in PostgreSQL 12.2 allows attackers to cause a denial of service via repeatedly sending SIGHUP signals. NO

4.4MEDIUM

CVE-2023-39418

>= 15.0 and < 15.4

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security polic

3.1LOW

CVE-2023-39417

>= 11.0 and < 11.21

IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:.

7.5HIGH

CVE-2023-2455

>= 11.0 and < 11.20

Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certai

5.4MEDIUM

CVE-2023-2454

>= 11.0 and < 11.20

schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an auth

7.2HIGH

CVE-2022-41862

>= 12.0 and < 12.14

In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport e

3.7LOW

CVE-2022-41946

>= 42.2.0 and < 42.2.27

pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText

4.7MEDIUM

CVE-2022-1552

>= 10.0 and < 10.21

A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining

8.8HIGH

CVE-2021-43767

>= 9.6.0 and < 9.6.24

Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server

5.9MEDIUM

CVE-2022-2625

>= 10.0 and < 10.22

A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, t

8.0HIGH

CVE-2022-31197

< 42.2.26

PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database indepe

7.1HIGH

CVE-2022-26520

>= 42.1.0 and <= 42.1.4

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to

9.8CRITICAL

CVE-2021-23214

< 9.6.24

When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-th

8.1HIGH

CVE-2021-3677

>= 11.0 and < 11.13

A flaw was found in postgresql. A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, a

6.5MEDIUM

CVE-2021-23222

>= 9.6 and < 9.6.24

A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate veri

5.9MEDIUM

CVE-2022-21724

< 42.2.25

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing sec

7.0HIGH

CVE-2021-32028

>= 9.6.0 and < 9.6.22

A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated

6.5MEDIUM

CVE-2021-32029

>= 11.0 and < 11.12

A flaw was found in postgresql. Using an UPDATE ... RETURNING command on a purpose-crafted table, an authenticated database user c

6.5MEDIUM

CVE-2021-32027

>= 9.6.0 and < 9.6.22

A flaw was found in postgresql in versions before 13.3, before 12.7, before 11.12, before 10.17 and before 9.6.22. While modifying

8.8HIGH

CVE-2021-3393

< 11.11

An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permi

4.3MEDIUM

CVE-2019-10128

< 9.4.22

A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for EnterpriseDB-supplied PostgreSQL do

7.8HIGH

CVE-2019-10127

< 9.4.22

A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for BigSQL-supplied PostgreSQL does not

8.8HIGH

CVE-2021-20229

>= 13.0 and < 13.2

A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a spe

4.3MEDIUM

CVE-2020-25696

>= 9.5.0 and < 9.5.24

A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15,

7.5HIGH

CVE-2020-25695

< 9.5.24

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An

8.8HIGH

CVE-2020-25694

< 9.5.24

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If

8.1HIGH

CVE-2020-10733

>= 9.5 and < 9.5.22

The Windows installer for PostgreSQL 9.5 - 12 invokes system-provided executables that do not have fully-qualified paths. Executab

7.3HIGH

CVE-2020-14350

>= 9.5 and < 9.5.23

It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with suffici

7.3HIGH

CVE-2020-14349

>= 10.0 and < 10.14

It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during l

7.1HIGH

CVE-2020-13692

< 42.2.13

PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.

7.7HIGH

CVE-2020-1720

>= 9.6 and < 9.6.17

A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An aut

3.1LOW

CVE-2015-0244

< 9.0.19

PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 does not properly h

9.8CRITICAL

CVE-2015-0243

< 9.0.19

Multiple buffer overflows in contrib/pgcrypto in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before

8.8HIGH

CVE-2015-0242

< 9.0.19

Stack-based buffer overflow in the *printf function implementations in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before

8.8HIGH

CVE-2015-0241

< 9.0.19

The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9

8.8HIGH

CVE-2014-8161

< 9.0.19

PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authe

4.3MEDIUM

CVE-2015-3167

< 9.0.20

contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2

7.5HIGH

CVE-2015-3166

< 9.0.20

The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x b

9.8CRITICAL

CVE-2019-3466

< 210

The pg_ctlcluster script in postgresql-common in versions prior to 210 didn't drop privileges when creating socket/statistics temp

7.8HIGH

CVE-2019-10211

< 9.4.24

Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via bundled OpenSSL executing code

9.8CRITICAL

CVE-2019-10210

< 9.4.24

Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via superuser writing password to u

7.0HIGH

CVE-2019-10209

>= 11.0 and < 11.5

Postgresql, versions 11.x before 11.5, is vulnerable to a memory disclosure in cross-type comparison for hashed subplan.

2.2LOW

CVE-2019-10208

>= 9.4.0 and < 9.4.24

A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and

8.8HIGH

CVE-2019-3800

< 2.1.2

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user aut

6.3MEDIUM

CVE-2019-10130

>= 9.5.0 and < 9.5.17

A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.

4.3MEDIUM

CVE-2019-10129

>= 11.0 and < 11.3

A vulnerability was found in postgresql versions 11.x prior to 11.3. Using a purpose-crafted insert to a partitioned table, an att

6.5MEDIUM

CVE-2019-10164

>= 10.0 and < 10.9

PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authentica

8.8HIGH

CVE-2019-9193

>= 9.3 and <= 11.2

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program'

7.2HIGH

CVE-2018-16850

>= 10.0 and < 10.6

postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... REFEREN

9.8CRITICAL

CVE-2018-10936

< 42.2.5

A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host na

8.1HIGH

CVE-2016-7048

< 9.1.24

The interactive installer in PostgreSQL before 9.3.15, 9.4.x before 9.4.10, and 9.5.x before 9.5.5 might allow remote attackers to

8.1HIGH

CVE-2018-10925

>= 9.5.0 and < 9.5.14

It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization

8.1HIGH

CVE-2018-10915

>= 9.3.0 and < 9.3.24

A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state

8.5HIGH

CVE-2018-1115

< 9.6.9

postgresql before versions 10.4, 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rotate() function doesn

9.1CRITICAL

CVE-2018-1058

>= 9.3 and < 9.3.22

A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user a

8.8HIGH

CVE-2017-14798

< 9.4-0.5.3.1

A race condition in the postgresql init script could be used by attackers able to access the postgresql account to escalate their

7.3HIGH

CVE-2018-1053

>= 9.3.0 and < 9.3.21

In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade c

7.0HIGH

CVE-2018-1052

all versions

Memory disclosure vulnerability in table partitioning was found in postgresql 10.x before 10.2, allowing an authenticated attacker

6.5MEDIUM

CVE-2017-12172

all versions

PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9

6.7MEDIUM

CVE-2017-15099

all versions

INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose tab

6.5MEDIUM

CVE-2017-15098

all versions

Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5

8.1HIGH

CVE-2017-8806

all versions

The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package

5.5MEDIUM

CVE-2017-7548

>= 9.4 and < 9.4.13

PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers wi

7.5HIGH

CVE-2017-7547

all versions

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authentica

8.8HIGH

CVE-2017-7546

all versions

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote

9.8CRITICAL

CVE-2016-0768

<= 9.0

PostgreSQL PL/Java after 9.0 does not honor access controls on large objects.

7.5HIGH

CVE-2017-7486

all versions

PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords

7.5HIGH

CVE-2017-7485

all versions

In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIR

5.9MEDIUM

CVE-2017-7484

<= 9.2.20

It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5

7.5HIGH

CVE-2016-5424

<= 9.1.22

PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote

7.1HIGH

CVE-2016-5423

<= 9.1.22

PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authen

8.3HIGH

CVE-2016-3065

all versions

The (1) brin_page_type and (2) brin_metapage_info functions in the pageinspect extension in PostgreSQL before 9.5.x before 9.5.2 a

9.1CRITICAL

CVE-2016-2193

all versions

PostgreSQL before 9.5.x before 9.5.2 does not properly maintain row-security status in cached plans, which might allow attackers t

7.5HIGH

CVE-2016-0773

<= 9.1.19

PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 allows remote attac

7.5HIGH

CVE-2016-0766

>= 9.1.0 and < 9.1.20

PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 does not properly r

8.8HIGH

CVE-2015-5289

>= 9.3.0 and < 9.3.10

Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 allow attack

CVE-2015-5288

<= 9.0.22

The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9.1.x before 9.1.19, 9.2.x before 9.2.14, 9.3.x before 9.3.10,

CVE-2015-3165

<= 9.0.19

Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x bef

CVE-2014-2669

all versions

Multiple integer overflows in contrib/hstore/hstore_io.c in PostgreSQL 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.

CVE-2014-0067

<= 8.4.19

The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier does not properly invoke initdb to specify the authen

CVE-2014-0066

<= 8.4.19

The chkpass extension in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before

CVE-2014-0065

<= 8.4.19

Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x bef

CVE-2014-0064

<= 8.4.19

Multiple integer overflows in the path_in and other unspecified functions in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x

CVE-2014-0063

<= 8.4.19

Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, a

CVE-2014-0062

<= 8.4.19

Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16,

CVE-2014-0061

<= 8.4.19

The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12,

CVE-2014-0060

<= 8.4.19

PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly e

CVE-2013-1903

all versions

PostgreSQL, possibly 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23 inc

CVE-2013-1902

all versions

PostgreSQL, 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23 generates in

CVE-2013-1901

all versions

PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authentic

CVE-2013-1900

all versions

PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates ins

CVE-2013-1899

all versions

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attac

CVE-2013-0255

all versions

PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not prop

CVE-2012-1618

all versions

Interaction error in the PostgreSQL JDBC driver before 8.2, when used with a PostgreSQL server with the "standard_conforming_strin

CVE-2012-3489

>= 8.3.0 and < 8.3.20

The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0

6.5MEDIUM

CVE-2012-3488

all versions

The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 doe

CVE-2012-2655

all versions

PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and 9.1.x before 9.1.4 allows remote authenticated users

CVE-2012-0868

all versions

CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x befo

CVE-2012-0867

all versions

PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when ve

CVE-2012-0866

all versions

CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 does not properl

CVE-2012-2143

>= 8.3 and < 8.3.19

The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, doe

CVE-2011-2483

>= 8.2.0 and < 8.2.22

crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not

CVE-2010-4015

all versions

Buffer overflow in the gettoken function in contrib/intarray/_int_bool.c in the intarray array module in PostgreSQL 9.0.x before 9

CVE-2010-3433

all versions

The PL/perl and PL/Tcl implementations in PostgreSQL 7.4 before 7.4.30, 8.0 before 8.0.26, 8.1 before 8.1.22, 8.2 before 8.2.18, 8

CVE-2010-1975

all versions

PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 doe

CVE-2010-1447

all versions

The Safe (aka Safe.pm) module 2.26, and certain earlier versions, for Perl, as used in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.

CVE-2010-1170

all versions

The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3

CVE-2010-1169

all versions

PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.

CVE-2010-0733

<= 8.4.1

Integer overflow in src/backend/executor/nodeHash.c in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2, allows remote auth

CVE-2010-0442

>= 7.4 and < 7.4.28

The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to

CVE-2009-4136

all versions

PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x befor

CVE-2009-4034

all versions

PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x befor

CVE-2009-3231

>= 8.2 and < 8.2.14

The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous bind

CVE-2009-3230

all versions

The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.2

CVE-2009-3229

all versions

The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, and 8.2 before 8.2.14 allows remote authenticated user

CVE-2009-0922

all versions

PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack

CVE-2007-6601

>= 7.3.0 and < 7.3.21

The DBLink module in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, 7.4 before 7.4.19, and 7.3 before 7.3.21,

CVE-2007-6600

all versions

PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, 7.4 before 7.4.19, and 7.3 before 7.3.21 uses superuser privile

CVE-2007-6067

all versions

Algorithmic complexity vulnerability in the regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6

CVE-2007-4772

>= 7.4 and < 7.4.19

The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15,

CVE-2007-4769

all versions

The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15,

CVE-2007-3280

all versions

The Database Link library (dblink) in PostgreSQL 8.1 implements functions via CREATE statements that map to arbitrary libraries ba

CVE-2007-3279

all versions

PostgreSQL 8.1 and probably later versions, when the PL/pgSQL (plpgsql) language has been created, grants certain plpgsql privileg

CVE-2007-3278

>= 7.3 and < 7.3.21

PostgreSQL 8.1 and probably later versions, when local trust authentication is enabled and the Database Link library (dblink) is i

CVE-2007-2138

< 7.3.19

Untrusted search path vulnerability in PostgreSQL before 7.3.19, 7.4.x before 7.4.17, 8.0.x before 8.0.13, 8.1.x before 8.1.9, and

CVE-2007-0556

all versions

The query planner in PostgreSQL before 8.0.11, 8.1 before 8.1.7, and 8.2 before 8.2.2 does not verify that a table is compatible w

CVE-2007-0555

>= 7.3 and < 7.3.18

PostgreSQL 7.3 before 7.3.13, 7.4 before 7.4.16, 8.0 before 8.0.11, 8.1 before 8.1.7, and 8.2 before 8.2.2 allows attackers to dis

CVE-2006-5542

all versions

backend/tcop/postgres.c in PostgreSQL 8.1.x before 8.1.5 allows remote authenticated users to cause a denial of service (daemon cr

CVE-2006-5541

>= 7.4 and < 7.4.14

backend/parser/parse_coerce.c in PostgreSQL 7.4.1 through 7.4.14, 8.0.x before 8.0.9, and 8.1.x before 8.1.5 allows remote authent

CVE-2006-5540

all versions

backend/parser/analyze.c in PostgreSQL 8.1.x before 8.1.5 allows remote authenticated users to cause a denial of service (daemon c

CVE-2006-2314

all versions

PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13, 7.3.x before 7.3.15, and earlier versions allows context-d

CVE-2006-2313

all versions

PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13, 7.3.x before 7.3.15, and earlier versions allows context-d

CVE-2006-0678

all versions

PostgreSQL 7.3.x before 7.3.14, 7.4.x before 7.4.12, 8.0.x before 8.0.7, and 8.1.x before 8.1.3, when compiled with Asserts enable

CVE-2006-0553

all versions

PostgreSQL 8.1.0 through 8.1.2 allows authenticated database users to gain additional privileges via "knowledge of the backend pro

CVE-2006-0105

all versions

PostgreSQL 8.0.x before 8.0.6 and 8.1.x before 8.1.2, when running on Windows, allows remote attackers to cause a denial of servic

CVE-2005-1410

all versions

The tsearch2 module in PostgreSQL 7.4 through 8.0.x declares the (1) dex_init, (2) snb_en_init, (3) snb_ru_init, (4) spell_init, a

CVE-2005-1409

all versions

PostgreSQL 7.3.x through 8.0.x gives public EXECUTE access to certain character conversion functions, which allows unprivileged us

CVE-2005-0247

all versions

Multiple buffer overflows in gram.y for PostgreSQL 8.0.1 and earlier may allow attackers to execute arbitrary code via (1) a large

CVE-2005-0246

>= 7.3.0 and < 7.3.9

The intagg contrib module for PostgreSQL 8.0.0 and earlier allows attackers to cause a denial of service (crash) via crafted array

CVE-2005-0244

all versions

PostgreSQL 8.0.0 and earlier allows local users to bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE

CVE-2005-0227

>= 7.3.0 and < 7.3.9

PostgreSQL (pgsql) 7.4.x, 7.2.x, and other versions allows local users to load arbitrary shared libraries and execute code via the

CVE-2004-0977

>= 7.3.0 and < 7.3.8

The make_oidjoins_check script in PostgreSQL 7.4.5 and earlier allows local users to overwrite files via a symlink attack on tempo

CVE-2005-0245

>= 7.3 and < 7.3.10

Buffer overflow in gram.y for PostgreSQL 8.0.0 and earlier may allow attackers to execute arbitrary code via a large number of arg

CVE-2004-0547

all versions

Buffer overflow in the ODBC driver for PostgreSQL before 7.2.1 allows remote attackers to cause a denial of service (crash).

CVE-2003-0901

all versions

Buffer overflow in to_ascii for PostgreSQL 7.2.x, and 7.3.x before 7.3.4, allows remote attackers to execute arbitrary code.

CVE-2002-1402

all versions

Buffer overflows in the (1) TZ and (2) SET TIME ZONE enivronment variables for PostgreSQL 7.2.1 and earlier allow local users to c

CVE-2002-1401

all versions

Buffer overflows in (1) circle_poly, (2) path_encode and (3) path_add (also incorrectly identified as path_addr) for PostgreSQL 7.

CVE-2002-1400

all versions

Heap-based buffer overflow in the repeat() function for PostgreSQL before 7.2.2 allows attackers to execute arbitrary code by caus

CVE-2002-1399

all versions

Unknown vulnerability in cash_out and possibly other functions in PostgreSQL 7.2.1 and earlier, and possibly later versions before

CVE-2002-1398

all versions

Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows attackers to cause a denial of service and possibly execute

CVE-2002-1397

all versions

Vulnerability in the cash_words() function for PostgreSQL 7.2 and earlier allows local users to cause a denial of service and poss

CVE-2002-1657

all versions

PostgreSQL uses the username for a salt when generating passwords, which makes it easier for remote attackers to guess passwords v

7.5HIGH

CVE-2002-1642

all versions

PostgreSQL 7.2.1 and 7.2.2 allows local users to delete transaction log (pg_clog) data and cause a denial of service (data loss) v

CVE-2002-0972

all versions

Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of service and possibly execute arbitrary code via long argum

CVE-2002-0802

all versions

The multibyte support in PostgreSQL 6.5.x with SQL_ASCII encoding consumes an extra character when processing a character that can

CVE-2000-1199

all versions

PostgreSQL stores usernames and passwords in plaintext in (1) pg_shadow and (2) pg_pwd, which allows attackers with sufficient pri

CVE-1999-0862

all versions

Insecure directory permissions in RPM distribution for PostgreSQL allows local users to gain privileges by reading a plaintext pas