PatchSiren

elixir-ecto CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW elixir-ecto CVE published 2026-07-10

CVE-2026-58225

CVE-2026-58225 is a SQL Injection vulnerability in elixir-ecto postgrex. An attacker who can influence a LISTEN channel name can inject SQL into the reconnect replay query, causing a denial of service of the notification connection. The vulnerability affects postgrex versions from 0.16.0 before 0.22.3. This issue has a significant impact on applications that pass untrusted input as a channel name to Postg [truncated]

HIGH elixir-ecto CVE published 2026-05-12

CVE-2026-32687

CVE-2026-32687 is a SQL injection issue in elixir-ecto/postgrex’s notifications handling. If an attacker can influence the channel name passed to LISTEN/UNLISTEN, the value is interpolated into SQL without escaping double quotes, which can break out of the quoted identifier and append additional SQL. The same pattern is also present when reconnect logic replays subscriptions in handle_connect/1.