CVE-2026-41889 / GHSA-j88v-2chj-qfwx — SQL injection in github.com/jackc/pgx/v5, fixed in v5.9.2. Vanta-flagged, ~2-day SLA (2026-05-18 report).
This repo: pgx v5.6.0 (indirect). Also requires Go toolchain bump 1.24 → 1.26.1 — pgx v5.9.x requires Go >=1.25.
Fix: bump Go pins + go get github.com/jackc/pgx/v5@v5.9.2 && go mod tidy. Patch the active release line v0.7.x and main.
CVE-2026-41889 / GHSA-j88v-2chj-qfwx — SQL injection in github.com/jackc/pgx/v5, fixed in v5.9.2. Vanta-flagged, ~2-day SLA (2026-05-18 report).
This repo: pgx v5.6.0 (indirect). Also requires Go toolchain bump 1.24 → 1.26.1 — pgx v5.9.x requires Go >=1.25.
Fix: bump Go pins +
go get github.com/jackc/pgx/v5@v5.9.2 && go mod tidy. Patch the active release line v0.7.x and main.