These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-41889 is a low-severity SQL injection issue in the pgx PostgreSQL driver and toolkit for Go. It affects a narrow set of queries when the non-default simple protocol is used and a dollar-quoted string literal contains text that can be interpreted as a placeholder outside the string literal. If the value associated with that placeholder is attacker-controlled, the resulting query can be manipulated [truncated]
CVE-2024-27304 is a critical SQL injection issue in Jackc's Go PostgreSQL tooling. An integer overflow in message-size calculation can let an attacker influence how one oversized query or bind message is split into multiple protocol messages, creating an injection path. The issue is fixed in pgx v4.18.2 and v5.5.4, and in pgproto3 v2.3.3.
CVE-2024-27289 is a high-severity SQL injection issue in jackc/pgx that affects versions before 4.18.2. According to the vendor and NVD, the risk appears only when the non-default simple protocol is used and a specific placeholder pattern is present in the same line of SQL. The vulnerability is fixed in pgx 4.18.2, and the published workaround is to avoid simple protocol or avoid placing a minus directly [truncated]