CVE-2026-2004 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: February 12, 2026
PostgreSQL intarray - Command Injection
Overview
PostgreSQL intarray extension < 18.2, 17.8, 16.12, 15.16, and 14.21 contains a command injection caused by missing input type validation in selectivity estimator function, letting object creators execute arbitrary OS commands, exploit requires object creation privileges.
Severity & Score
Impact
Object creators can execute arbitrary OS commands as the database user, potentially leading to full system compromise.
Mitigation
Upgrade to PostgreSQL 18.2, 17.8, 16.12, 15.16, 14.21 or later.
Social Media Activity(2 posts)
š CVE-2026-2004 - High (8.8) Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12... š https://www.thehackerwire.com/vulnerability/CVE-2026-2004/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
few new #postgresql vulns out there today š CVE-2026-2004 CVE-2026-2004 Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. š CVSS Score: 8.8 ā ļø Severity: High š Published: 02/12/2026, 02:16 PM š·ļø Aliases: CVE-2026-2004 š”ļø CWE: CWE-1287 š References: https://www.postgresql.org/support/security/CVE-2026-2004/ š https://hecate.pw/vulnerability/CVE-2026-2004 #cve #vulnerability #hecate
View original postGitHub Repositories(1 repo)
Related Resources
Details
- CVE ID
- CVE-2026-2004
- Severity
- High
- CVSS Score
- 8.8
- Type
- command_injection
- Status
- unconfirmed
- EPSS
- 9.5%
- Social Posts
- 2
CWE
- CWE-1287
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H