| Version | Change log |
| PostgreSQL 18.2 Feb 12, 2026 |
Security Issues: CVE-2026-2003: PostgreSQL oidvector discloses a few bytes of memory: CVSS v3.1 Base Score: 4.3: Supported, Vulnerable Versions: 14 - 18. Improper validation of type oidvector in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. The PostgreSQL project thanks Altan Birler for reporting this problem. CVE-2026-2004: PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code CVSS v3.1 Base Score: 8.8: Supported, Vulnerable Versions: 14 - 18. Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. The PostgreSQL project thanks Daniel Firer, as part of zeroday.cloud, for reporting this problem. CVE-2026-2005: PostgreSQL pgcrypto heap buffer overflow executes arbitrary code CVSS v3.1 Base Score: 8.8: Supported, Vulnerable Versions: 14 - 18. Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. The PostgreSQL project thanks Team Xint Code, as part of zeroday.cloud, for reporting this problem. CVE-2026-2006: PostgreSQL missing validation of multibyte character length executes arbitrary code CVSS v3.1 Base Score: 8.8: Supported, Vulnerable Versions: 14 - 18. Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user runn |
| PostgreSQL 18.1 Nov 14, 2025 |
Avoid returning duplicate rows from hash right semi-joins. Avoid possible out-of-memory failures during parallel GIN index build. Several fixes for BRIN indexes. Fixes for crashes related to partitioned tables, including one occurring during a recheck. Avoid duplicating hash partition constraints during DETACH CONCURRENTLY, which previously caused issues during dump/restore or if a parent table is dropped after the DETACH. Disallow generated columns in partition keys and in COPY ... FROM ... WHERE clauses. Fix incorrect reporting of replication lag in pg_stat_replication view. Avoid failures when synchronized_standby_slots references nonexistent replication slots. Avoid unwanted WAL receiver shutdown when switching from streaming to archive WAL source. Avoid unnecessary invalidation of logical replication slots. Correctly handle GROUP BY DISTINCT in PL/pgSQL assignment statements. Avoid leaking memory when handling a SQL error within PL/Python. Fix how libpq handles socket-related errors on Windows within its GSSAPI logic. Fix dumping of non-inherited NOT NULL constraints on inherited table columns. Ensure consistent ordering of foreign key constraints in the output of pg_dump. Several fixes for pgbench error handling and reporting. Fix memory leak in pg_combinebackup. Allow nonsuperusers with SELECT privileges on a table to use pg_prewarm to prewarm indexes on that table. |
| PostgreSQL 17.4 Feb 20, 2025 |
Improve behavior of libpq's quoting functions (Andres Freund, Tom Lane) § § § The changes made for CVE-2025-1094 had one serious oversight: PQescapeLiteral() and PQescapeIdentifier() failed to honor their string length parameter, instead always reading to the input string's trailing null. This resulted in including unwanted text in the output, if the caller intended to truncate the string via the length parameter. With very bad luck it could cause a crash due to reading off the end of memory. In addition, modify all these quoting functions so that when invalid encoding is detected, an invalid sequence is substituted for just the first byte of the presumed character, not all of it. This reduces the risk of problems if a calling application performs additional processing on the quoted string. Fix small memory leak in pg_createsubscriber (Ranier Vilela) § Fix meson build system to correctly detect availability of the bsd_auth.h system header (Nazir Bilal Yavuz) § |
Total downloads
105
Last month's downloads
1
Last week's downloads
0
PostgreSQL Maestro, developed by SQL Maestro Group, is an exceptional database management tool designed specifically for PostgreSQL users. This powerful software provides a user-friendly interface ... database administrators. With its robust set of features, PostgreSQL Maestro enables seamless database management, allowing users to ...
... full potential of your data integration processes with PostgreSQL SSIS Components by Devart. Designed specifically for SQL ... powerful toolset enables seamless connectivity and interaction with PostgreSQL databases, making it an essential asset for data ... data flows, ensuring efficient data migration and transformation. Devart’s PostgreSQL SSIS Components offer robust features, including advanced data ...
PostgreSQL PHP Generator Lite, developed by SQL Maestro Group, ... streamline the process of creating PHP scripts for PostgreSQL databases. This intuitive software empowers developers and database ... for extensive coding knowledge. With its user-friendly interface, PostgreSQL PHP Generator Lite simplifies the complexities of database ...
