{"id":"ALPINE-CVE-2026-6476","details":"SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser.  The attack takes effect when pg_createsubscriber next runs.  Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected.  Versions before PostgreSQL 17 are unaffected.","modified":"2026-05-19T21:30:05.876229368Z","published":"2026-05-14T14:16:25.230Z","upstream":["CVE-2026-6476"],"references":[{"type":"ADVISORY","url":"https://security.alpinelinux.org/vuln/CVE-2026-6476"}],"affected":[{"package":{"name":"postgresql17","ecosystem":"Alpine:v3.21","purl":"pkg:apk/alpine/postgresql17?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"17.10-r0"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-6476.json"}},{"package":{"name":"postgresql17","ecosystem":"Alpine:v3.22","purl":"pkg:apk/alpine/postgresql17?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"17.10-r0"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-6476.json"}},{"package":{"name":"postgresql17","ecosystem":"Alpine:v3.23","purl":"pkg:apk/alpine/postgresql17?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"17.10-r0"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-6476.json"}},{"package":{"name":"postgresql18","ecosystem":"Alpine:v3.23","purl":"pkg:apk/alpine/postgresql18?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"18.4-r0"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-6476.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}