CVE-2026-58225 is a SQL Injection vulnerability in elixir-ecto postgrex. An attacker who can influence a LISTEN channel name can inject SQL into the reconnect replay query, causing a denial of service of the notification connection. The vulnerability affects postgrex versions from 0.16.0 before 0.22.3. This issue has a significant impact on applications that pass untrusted input as a channel name to Postg [truncated]
CVE-2026-32687 is a SQL injection issue in elixir-ecto/postgrex’s notifications handling. If an attacker can influence the channel name passed to LISTEN/UNLISTEN, the value is interpolated into SQL without escaping double quotes, which can break out of the quoted identifier and append additional SQL. The same pattern is also present when reconnect logic replays subscriptions in handle_connect/1.