CVE-2026-33816 github.com/jackc/pgx/v5 CVE debrief

Who should care

Organizations and developers using github.com/jackc/pgx/v5 in applications, services, or dependencies should treat this as urgent, especially if the deployed version is earlier than 5.9.0.

Technical summary

NVD classifies CVE-2026-33816 as a memory-safety vulnerability in jackc/pgx/v5 and marks versions before 5.9.0 as vulnerable. The published CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) suggests the issue can be triggered over the network without privileges or user interaction and can have severe impact. NVD does not provide a more specific CWE in the supplied record, so the exact failure mode should be taken from vendor guidance and release notes.

Defensive priority

Immediate. A remotely exploitable memory-safety issue with a critical CVSS score should be prioritized for rapid patching and dependency verification.

Recommended defensive actions

• Upgrade github.com/jackc/pgx/v5 to version 5.9.0 or later, or to the first fixed release identified by the Go advisory.
• Inventory applications, services, and transitive dependencies that import pgx/v5 and confirm the runtime version in use.
• Review lockfiles, vendored code, and build pipelines to ensure the fixed version is actually deployed everywhere.
• Monitor the linked Go advisory and NVD record for any additional remediation guidance or clarifications.
• If immediate upgrade is not possible, accelerate change windows and reduce exposure of affected systems until patched.

Evidence notes

The NVD record published on 2026-04-07 and modified on 2026-05-21 identifies CVE-2026-33816 as affecting cpe:2.3:a:jackc:pgx:*:*:*:*:*:go:*:* with versionEndExcluding 5.9.0. The same record links to the Go vulnerability notice GO-2026-4772 as a third-party advisory. NVD assigns CVSS 9.8 with a network-exploitable, no-auth, no-interaction vector. No more specific weakness description is provided in the supplied NVD data beyond memory-safety.

Official resources