Vulnerable Library - github.com/jackc/Pgx/v5-v5.5.5
PostgreSQL driver and toolkit for Go
Library home page: https://proxy.golang.org/github.com/jackc/!pgx/v5/@v/v5.5.5.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (github.com/jackc/Pgx/v5-v5.5.5 version) |
Remediation Possible** |
| CVE-2026-33816 |
 Critical |
9.8 |
github.com/jackc/Pgx/v5-v5.5.5 |
Direct |
github.com/jackc/pgx/v5 - v5.9.0 |
❌ |
| CVE-2026-33815 |
Critical |
9.8 |
github.com/jackc/Pgx/v5-v5.5.5 |
Direct |
github.com/jackc/pgx/v5 - v5.9.0 |
❌ |
| CVE-2026-41889 |
 Low |
3.1 |
github.com/jackc/Pgx/v5-v5.5.5 |
Direct |
https://github.com/jackc/pgx.git - v5.9.2 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-33816
Vulnerable Library - github.com/jackc/Pgx/v5-v5.5.5
PostgreSQL driver and toolkit for Go
Library home page: https://proxy.golang.org/github.com/jackc/!pgx/v5/@v/v5.5.5.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy:
- ❌ github.com/jackc/Pgx/v5-v5.5.5 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Memory-safety vulnerability in github.com/jackc/pgx/v5.
Publish Date: 2026-04-07
URL: CVE-2026-33816
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9jj7-4m8r-rfcm
Release Date: 2026-04-07
Fix Resolution: github.com/jackc/pgx/v5 - v5.9.0
Step up your Open Source Security Game with Mend here
CVE-2026-33815
Vulnerable Library - github.com/jackc/Pgx/v5-v5.5.5
PostgreSQL driver and toolkit for Go
Library home page: https://proxy.golang.org/github.com/jackc/!pgx/v5/@v/v5.5.5.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy:
- ❌ github.com/jackc/Pgx/v5-v5.5.5 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Memory-safety vulnerability in github.com/jackc/pgx/v5.
Publish Date: 2026-04-07
URL: CVE-2026-33815
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xgrm-4fwx-7qm8
Release Date: 2026-04-07
Fix Resolution: github.com/jackc/pgx/v5 - v5.9.0
Step up your Open Source Security Game with Mend here
CVE-2026-41889
Vulnerable Library - github.com/jackc/Pgx/v5-v5.5.5
PostgreSQL driver and toolkit for Go
Library home page: https://proxy.golang.org/github.com/jackc/!pgx/v5/@v/v5.5.5.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy:
- ❌ github.com/jackc/Pgx/v5-v5.5.5 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2.
Publish Date: 2026-05-08
URL: CVE-2026-41889
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-05
Fix Resolution: https://github.com/jackc/pgx.git - v5.9.2
Step up your Open Source Security Game with Mend here
PostgreSQL driver and toolkit for Go
Library home page: https://proxy.golang.org/github.com/jackc/!pgx/v5/@v/v5.5.5.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - github.com/jackc/Pgx/v5-v5.5.5
PostgreSQL driver and toolkit for Go
Library home page: https://proxy.golang.org/github.com/jackc/!pgx/v5/@v/v5.5.5.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Memory-safety vulnerability in github.com/jackc/pgx/v5.
Publish Date: 2026-04-07
URL: CVE-2026-33816
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9jj7-4m8r-rfcm
Release Date: 2026-04-07
Fix Resolution: github.com/jackc/pgx/v5 - v5.9.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/jackc/Pgx/v5-v5.5.5
PostgreSQL driver and toolkit for Go
Library home page: https://proxy.golang.org/github.com/jackc/!pgx/v5/@v/v5.5.5.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Memory-safety vulnerability in github.com/jackc/pgx/v5.
Publish Date: 2026-04-07
URL: CVE-2026-33815
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xgrm-4fwx-7qm8
Release Date: 2026-04-07
Fix Resolution: github.com/jackc/pgx/v5 - v5.9.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/jackc/Pgx/v5-v5.5.5
PostgreSQL driver and toolkit for Go
Library home page: https://proxy.golang.org/github.com/jackc/!pgx/v5/@v/v5.5.5.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2.
Publish Date: 2026-05-08
URL: CVE-2026-41889
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-05
Fix Resolution: https://github.com/jackc/pgx.git - v5.9.2
Step up your Open Source Security Game with Mend here