CVE-2026-6637

CVE Database · CVE-2026-6637

CVE-2026-6637

· HIGHAnalyzed

CVSS v3.1

8.8

EPSS

0.38%

Published

May 14, 2026

Modified

May 18, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-89CWE-121

Affected Products (5)

postgresql · postgresql (up to 14.23)vulnerable

postgresql · postgresql (up to 15.18)vulnerable

postgresql · postgresql (up to 16.14)vulnerable

postgresql · postgresql (up to 17.10)vulnerable

postgresql · postgresql (up to 18.4)vulnerable

References (1)

https://www.postgresql.org/support/security/CVE-2026-6637/

PatchVendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs