CVE-2026-6474

CVE Database · CVE-2026-6474

CVE-2026-6474

· MEDIUMAnalyzed

CVSS v3.1

4.3

EPSS

0.21%

Published

May 14, 2026

Modified

May 18, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Weaknesses (CWE)

CWE-134

Affected Products (5)

postgresql · postgresql (up to 14.23)vulnerable

postgresql · postgresql (up to 15.18)vulnerable

postgresql · postgresql (up to 16.14)vulnerable

postgresql · postgresql (up to 17.10)vulnerable

postgresql · postgresql (up to 18.4)vulnerable

References (1)

https://www.postgresql.org/support/security/CVE-2026-6474/

PatchVendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs