CVE-2026-40906
Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to er
CVSS
9.9
Critical
EPSS
0.5%
p37
KEV
—
Exploit Today
11
0-100
Published: Apr 21, 2026 · Last modified: Jul 15, 2026 · CWE-89
0.5%EPSS · 30 days0.5%
2026-06-302026-07-17
Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.
- github.comhttps://github.com/electric-sql/electric/pull/4081
- github.comhttps://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-40906
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2460291
- github.comhttps://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40906.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-422089.8 CRI99.7%
KEV—80BerriAI LiteLLM SQL Injection Vulnerability4dCVE-2020-249139.8 CRI98.5%
——30A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.10dCVE-2026-479927.2 HIG97.1%
——29Adobe Commerce is affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could exploit this vulnerability to execute malicious SQL commands, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction.3dCVE-2022-366358.8 HIG96.7%
——29ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do.10dCVE-2023-409316.5 MED95.5%
——29A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php10dCVE-2026-12075.4 MED94.9%
——28An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.4d