Description
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2.
Published: 2026-05-08
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The pgx driver for Go enables execution of SQL queries using a non‑default simple protocol. When a dollar quoted string literal is used, any placeholder within that literal may be misinterpreted as a separate placeholder if the string contains dollar signs. If an attacker can supply the value for that placeholder, arbitrary SQL can be injected. This flaw is identified as CWE‑89.

Affected Systems

The issue affects the jackc:pgx PostgreSQL driver for Go, specifically all releases prior to version 5.9.2. The patch was released in v5.9.2; any application that uses the non‑default simple protocol and constructs queries with dollar quoted string literals is at risk.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and no EPSS score is available. Exploitation requires the attacker to have control over the query contents to set a placeholder value, limiting its likelihood in the wild. The vulnerability is not listed in CISA's KEV catalog.

Generated by OpenCVE AI on May 8, 2026 at 17:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pgx to version 5.9.2 or later
  • If an upgrade cannot be made, disable the non‑default simple protocol or refactor query construction to avoid dollar quoted string literals
  • Validate or escape any user‑supplied values used as placeholders to prevent unintended SQL injection

Generated by OpenCVE AI on May 8, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j88v-2chj-qfwx pgx: SQL Injection via placeholder confusion with dollar quoted string literals
History

Thu, 21 May 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pgx_project:pgx:*:*:*:*:*:go:*:* cpe:2.3:a:jackc:pgx:*:*:*:*:*:go:*:*
Vendors & Products Pgx Project
Pgx Project pgx

Thu, 21 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Pgx Project
Pgx Project pgx
CPEs cpe:2.3:a:pgx_project:pgx:*:*:*:*:*:go:*:*
Vendors & Products Pgx Project
Pgx Project pgx
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sat, 16 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N'}

threat_severity

Moderate

Fri, 08 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Jackc
Jackc pgx
Vendors & Products Jackc
Jackc pgx

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2.
Title pgx: SQL Injection via placeholder confusion with dollar quoted string literals
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Jackc Pgx
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T19:38:34.153Z

Reserved: 2026-04-22T15:11:54.671Z

Link: CVE-2026-41889

cve-icon Vulnrichment

Updated: 2026-05-08T19:38:15.820Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T17:16:31.040

Modified: 2026-05-21T19:58:12.450

Link: CVE-2026-41889

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T15:53:00Z

Links: CVE-2026-41889 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T22:30:18Z

Weaknesses