LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-40906

CVE-2026-40906 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: April 21, 2026

Electric Postgres - SQL Injection

Published: April 21, 2026Updated: April 21, 2026Remote Exploitable

Overview

Electric Postgres sync engine 1.1.12 to < 1.5.0 contains an error-based SQL injection caused by improper sanitization of the order_by parameter in the /v1/shape API, letting authenticated users read, write, and destroy the full database.

Severity & Score

Severity: Critical
CVSS Score: 9.9
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Authenticated users can read, modify, and delete the entire PostgreSQL database, leading to full data compromise.

Mitigation

Upgrade to version 1.5.0 or later.

References

Social Media Activity(4 posts)

TheHackerWire
TheHackerWire
@thehackerwire
Apr 21, 2026

šŸ”“ CVE-2026-40906 - Critical (9.9) Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of t... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-40906/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 21, 2026

šŸ”“ CVE-2026-40906 - Critical (9.9) Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of t... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-40906/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 21, 2026

šŸ”“ CVE-2026-40906 - Critical (9.9) Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of t... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-40906/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 21, 2026

šŸ”“ CVE-2026-40906 - Critical (9.9) Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of t... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-40906/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-40906
Severity
Critical
CVSS Score
9.9
Type
sql_injection
Status
new
EPSS
0.0%
Social Posts
4

CWE

  • CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

0.0%Probability of exploitation in the next 30 days