HIGH
elixir-ecto
CVE published 2026-05-12
CVE-2026-32687
CVE-2026-32687 is a SQL injection issue in elixir-ecto/postgrex’s notifications handling. If an attacker can influence the channel name passed to LISTEN/UNLISTEN, the value is interpolated into SQL without escaping double quotes, which can break out of the quoted identifier and append additional SQL. The same pattern is also present when reconnect logic replays subscriptions in handle_connect/1.