Description
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2.
Published: 2026-05-08
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The pgx driver for Go enables execution of SQL queries using a non‑default simple protocol. When a dollar quoted string literal is used, any placeholder within that literal may be misinterpreted as a separate placeholder if the string contains dollar signs. If an attacker can supply the value for that placeholder, arbitrary SQL can be injected. This flaw is identified as CWE‑89.

Affected Systems

The issue affects the jackc:pgx PostgreSQL driver for Go, specifically all releases prior to version 5.9.2. The patch was released in v5.9.2; any application that uses the non‑default simple protocol and constructs queries with dollar quoted string literals is at risk.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and no EPSS score is available. Exploitation requires the attacker to have control over the query contents to set a placeholder value, limiting its likelihood in the wild. The vulnerability is not listed in CISA's KEV catalog.

Generated by OpenCVE AI on May 8, 2026 at 17:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pgx to version 5.9.2 or later
  • If an upgrade cannot be made, disable the non‑default simple protocol or refactor query construction to avoid dollar quoted string literals
  • Validate or escape any user‑supplied values used as placeholders to prevent unintended SQL injection

Generated by OpenCVE AI on May 8, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j88v-2chj-qfwx pgx: SQL Injection via placeholder confusion with dollar quoted string literals
History

Fri, 08 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2.
Title pgx: SQL Injection via placeholder confusion with dollar quoted string literals
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T19:38:34.153Z

Reserved: 2026-04-22T15:11:54.671Z

Link: CVE-2026-41889

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T17:16:31.040

Modified: 2026-05-08T17:16:31.040

Link: CVE-2026-41889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T17:45:13Z

Weaknesses