CVE-2026-41889 / GHSA-j88v-2chj-qfwx — SQL injection in github.com/jackc/pgx/v5, fixed in v5.9.2. Vanta-flagged, ~2-day SLA (2026-05-18 report).
This repo: pgx v5.7.6 (direct). Go toolchain already 1.26.1 — no Go bump needed.
Fix: go get github.com/jackc/pgx/v5@v5.9.2 && go mod tidy. No behavioral code changes required (verified). Patch the active release line v2.4.x and main.
CVE-2026-41889 / GHSA-j88v-2chj-qfwx — SQL injection in github.com/jackc/pgx/v5, fixed in v5.9.2. Vanta-flagged, ~2-day SLA (2026-05-18 report).
This repo: pgx v5.7.6 (direct). Go toolchain already 1.26.1 — no Go bump needed.
Fix:
go get github.com/jackc/pgx/v5@v5.9.2 && go mod tidy. No behavioral code changes required (verified). Patch the active release line v2.4.x and main.