← voltar
CVE-2026-40906criticalCWE-89

Electric: SQL Injection via ORDER BY Parameter in Shape API

28Vexday Risk Score

Sem sinal de exploração. Nenhum artefato público de exploração conhecido até agora.

ssvc Trackcvss 10epss 0.5%
probabilidade de exploração
0.5%top 63% das CVEs
exploração observada
nãonenhuma fonte reporta
Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Produtos afetados
electric-sql · electric