CVE-2026-49498

CVE Database · CVE-2026-49498

CVE-2026-49498

· HIGHAnalyzed

CVSS v3.1

8.8

CVSS v4.0

8.7

EPSS

0.26%

Published

Jun 10, 2026

Modified

Jun 11, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can inject SQL commands via crafted username parameters in PasswordChange network messages to escalate to PostgreSQL superuser privileges and gain full database control.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-89

Affected Products (1)

nsa · ghidra (up to 12.1)vulnerable

References (2)

https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-vv7r-2rhf-5h7g

Vendor Advisory

https://www.vulncheck.com/advisories/ghidra-sql-injection-in-postgresql-password-change-via-unescaped-username

Third Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs