jackc CVE Vulnerabilities & Metrics

Focus on jackc vulnerabilities and metrics.

Last updated: 15 Jul 2026, 22:25 UTC

About jackc Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with jackc. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total jackc CVEs: 6
Earliest CVE date: 06 Mar 2024, 19:15 UTC
Latest CVE date: 08 May 2026, 17:16 UTC

Latest CVE reference: CVE-2026-41889

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 4

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical jackc CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.0

Max CVSS: 0

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range Count
0.0-3.9 6
4.0-6.9 0
7.0-8.9 0
9.0-10.0 0

CVSS Distribution Chart

Top 5 Highest CVSS jackc CVEs

These are the five CVEs with the highest CVSS scores for jackc, sorted by severity first and recency.

All CVEs for jackc

CVE-2026-41889 jackc vulnerability CVSS: 0 08 May 2026, 17:16 UTC

pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2.

CVE-2026-33816 jackc vulnerability CVSS: 0 07 Apr 2026, 16:16 UTC

Memory-safety vulnerability in github.com/jackc/pgx/v5.

CVE-2026-33815 jackc vulnerability CVSS: 0 07 Apr 2026, 16:16 UTC

Memory-safety vulnerability in github.com/jackc/pgx/v5.

CVE-2026-32286 jackc vulnerability CVSS: 0 26 Mar 2026, 20:16 UTC

The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.

CVE-2024-27304 jackc vulnerability CVSS: 0 06 Mar 2024, 19:15 UTC

pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.

CVE-2024-27289 jackc vulnerability CVSS: 0 06 Mar 2024, 19:15 UTC

pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.