chore(deps): update module github.com/jackc/pgx/v5 to v5.9.2 [security] #105

Merged

nemunaire merged 1 commit from renovate/go-github.com-jackc-pgx-v5-vulnerability into master 2026-06-03 14:37:47 +00:00

Conversation 1 Commits 1 Files changed 1 +1 -1

renovate-bot commented 2026-05-30 07:51:53 +00:00

Collaborator

Copy link

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/jackc/pgx/v5	v5.8.0 → v5.9.2

---

Memory-safety vulnerability in github.com/jackc/pgx/v5.

CVE-2026-33816 / GHSA-9jj7-4m8r-rfcm / GO-2026-4772

More information

Details

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-33816
• https://github.com/jackc/pgx
• https://pkg.go.dev/vuln/GO-2026-4772

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

CVE-2026-33815 in github.com/jackc/pgx

CVE-2026-33815 / GHSA-xgrm-4fwx-7qm8 / GO-2026-4771

More information

Details

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Severity

Unknown

References

No references.

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

CVE-2026-33816 in github.com/jackc/pgx

CVE-2026-33816 / GHSA-9jj7-4m8r-rfcm / GO-2026-4772

More information

Details

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Severity

Unknown

References

No references.

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

pgx: SQL Injection via placeholder confusion with dollar quoted string literals

CVE-2026-41889 / GHSA-j88v-2chj-qfwx

More information

Details

Impact

SQL Injection can occur when:

1. The non-default simple protocol is used.
2. A dollar quoted string literal is used in the SQL query.
3. That string literal contains text that would be would be interpreted as a placeholder outside of a string literal.
4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

Patches

The problem is resolved in v5.9.2.

Workarounds

Do not use the simple protocol to execute queries matching all the above conditions.

Severity

• CVSS Score: 2.3 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx
• https://nvd.nist.gov/vuln/detail/CVE-2026-41889
• https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da
• https://github.com/jackc/pgx
• https://github.com/jackc/pgx/releases/tag/v5.9.2

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

jackc/pgx (github.com/jackc/pgx/v5)

v5.9.2

Compare Source

v5.9.1

Compare Source

v5.9.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Adoption](https://docs.renovatebot.com/merge-confidence/) | [Passing](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---|---|---| | [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) | `v5.8.0` → `v5.9.2` |  |  |  |  | --- ### Memory-safety vulnerability in github.com/jackc/pgx/v5. [CVE-2026-33816](https://nvd.nist.gov/vuln/detail/CVE-2026-33816) / [GHSA-9jj7-4m8r-rfcm](https://github.com/advisories/GHSA-9jj7-4m8r-rfcm) / [GO-2026-4772](https://pkg.go.dev/vuln/GO-2026-4772) <details> <summary>More information</summary> #### Details Memory-safety vulnerability in github.com/jackc/pgx/v5. #### Severity - CVSS Score: 9.8 / 10 (Critical) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2026-33816](https://nvd.nist.gov/vuln/detail/CVE-2026-33816) - [https://github.com/jackc/pgx](https://github.com/jackc/pgx) - [https://pkg.go.dev/vuln/GO-2026-4772](https://pkg.go.dev/vuln/GO-2026-4772) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-9jj7-4m8r-rfcm) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### CVE-2026-33815 in github.com/jackc/pgx [CVE-2026-33815](https://nvd.nist.gov/vuln/detail/CVE-2026-33815) / [GHSA-xgrm-4fwx-7qm8](https://github.com/advisories/GHSA-xgrm-4fwx-7qm8) / [GO-2026-4771](https://pkg.go.dev/vuln/GO-2026-4771) <details> <summary>More information</summary> #### Details Memory-safety vulnerability in github.com/jackc/pgx/v5. #### Severity Unknown #### References No references. This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-4771) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### CVE-2026-33816 in github.com/jackc/pgx [CVE-2026-33816](https://nvd.nist.gov/vuln/detail/CVE-2026-33816) / [GHSA-9jj7-4m8r-rfcm](https://github.com/advisories/GHSA-9jj7-4m8r-rfcm) / [GO-2026-4772](https://pkg.go.dev/vuln/GO-2026-4772) <details> <summary>More information</summary> #### Details Memory-safety vulnerability in github.com/jackc/pgx/v5. #### Severity Unknown #### References No references. This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-4772) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### pgx: SQL Injection via placeholder confusion with dollar quoted string literals [CVE-2026-41889](https://nvd.nist.gov/vuln/detail/CVE-2026-41889) / [GHSA-j88v-2chj-qfwx](https://github.com/advisories/GHSA-j88v-2chj-qfwx) <details> <summary>More information</summary> #### Details ##### Impact SQL Injection can occur when: 1. The non-default simple protocol is used. 2. A dollar quoted string literal is used in the SQL query. 3. That string literal contains text that would be would be interpreted as a placeholder outside of a string literal. 4. The value of that placeholder is controllable by the attacker. e.g. ```go attackValue := `$tag$; drop table canary; --` _, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue) ``` This is unlikely to occur outside of a contrived scenario. ##### Patches The problem is resolved in v5.9.2. ##### Workarounds Do not use the simple protocol to execute queries matching all the above conditions. #### Severity - CVSS Score: 2.3 / 10 (Low) - Vector String: `CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx](https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx) - [https://nvd.nist.gov/vuln/detail/CVE-2026-41889](https://nvd.nist.gov/vuln/detail/CVE-2026-41889) - [https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da](https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da) - [https://github.com/jackc/pgx](https://github.com/jackc/pgx) - [https://github.com/jackc/pgx/releases/tag/v5.9.2](https://github.com/jackc/pgx/releases/tag/v5.9.2) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-j88v-2chj-qfwx) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>jackc/pgx (github.com/jackc/pgx/v5)</summary> ### [`v5.9.2`](https://github.com/jackc/pgx/compare/v5.9.1...v5.9.2) [Compare Source](https://github.com/jackc/pgx/compare/v5.9.1...v5.9.2) ### [`v5.9.1`](https://github.com/jackc/pgx/compare/v5.9.0...v5.9.1) [Compare Source](https://github.com/jackc/pgx/compare/v5.9.0...v5.9.1) ### [`v5.9.0`](https://github.com/jackc/pgx/compare/v5.8.0...v5.9.0) [Compare Source](https://github.com/jackc/pgx/compare/v5.8.0...v5.9.0) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDQuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIwNC4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->

renovate-bot added 1 commit 2026-05-30 07:51:53 +00:00

chore(deps): update module github.com/jackc/pgx/v5 to v5.9.2 [security] 8d13854b97

renovate-bot commented 2026-05-30 07:51:54 +00:00

Author

Collaborator

Copy link

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: downloading github.com/jackc/pgx/v5 v5.9.2
go: git.happydns.org/happyDeliver/internal/api imports
	git.happydns.org/happyDeliver/internal/model: cannot find module providing package git.happydns.org/happyDeliver/internal/model

### ⚠️ Artifact update problem Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens: - any of the package files in this branch needs updating, or - the branch becomes conflicted, or - you click the rebase/retry checkbox if found above, or - you rename this PR's title to start with "rebase!" to trigger it manually The artifact failure details are included below: ##### File name: go.sum ``` Command failed: go get -t ./... go: downloading github.com/jackc/pgx/v5 v5.9.2 go: git.happydns.org/happyDeliver/internal/api imports git.happydns.org/happyDeliver/internal/model: cannot find module providing package git.happydns.org/happyDeliver/internal/model ```

nemunaire merged commit 11f9ca9ca4 into master 2026-06-03 14:37:47 +00:00

nemunaire deleted branch renovate/go-github.com-jackc-pgx-v5-vulnerability 2026-06-03 14:37:47 +00:00

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

happyDomain/happyDeliver!105

No description provided.