CVE-2026-33815 github.com/jackc/pgx/v5 CVE debrief

Who should care

Teams that use github.com/jackc/pgx/v5 in production Go applications, especially owners of internet-facing services and dependency managers responsible for Go module updates.

Technical summary

The supplied record identifies a memory-safety issue in github.com/jackc/pgx/v5. NVD marks the CVE as analyzed and assigns CVSS 3.1 9.8 with network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality, integrity, and availability impact. The NVD record references the Go security advisory GO-2026-4771, but the supplied corpus does not include an affected-version range, root cause specifics, or a published fixed version.

Defensive priority

Immediate (critical)

Recommended defensive actions

• Inventory services, builds, and container images that depend on github.com/jackc/pgx/v5.
• Review the official Go advisory GO-2026-4771 and the NVD entry for any fixed-version or mitigation guidance.
• Prioritize dependency updates or patching as soon as a vendor-recommended remediation is available.
• Rebuild, retest, and redeploy affected applications after updating the dependency.
• Temporarily reduce exposure of affected services and increase monitoring for abnormal behavior until remediation is complete.

Evidence notes

This debrief is based only on the supplied official CVE/NVD records and the linked Go advisory. The corpus confirms the product family, critical severity, and CVSS vector, but it does not provide a detailed root cause, exploit scenario, or fixed version.

Official resources