PatchSiren

electric-sql CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL electric-sql CVE published 2026-04-21

CVE-2026-40906

CVE-2026-40906 is a critical SQL injection vulnerability in Electric Sync Service versions 1.1.12 to before 1.5.0. The vulnerability exists in the /v1/shape API's order_by parameter, allowing authenticated users to inject malicious SQL. This could enable them to read, write, and destroy the full contents of the underlying PostgreSQL database. The Electric SQL team has addressed this issue in version 1.5.0 [truncated]