CVE-2026-49498
HIGHGhidra 11.0 < 12.1 - SQL Injection in PostgreSQL Password Change via Unescaped Username
Title source: cnaDescription
Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can inject SQL commands via crafted username parameters in PasswordChange network messages to escalate to PostgreSQL superuser privileges and gain full database control.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-vv7r-2rhf-5h7g)
https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-vv7r-2rhf-5h7g
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/ghidra-sql-injection-in-postgresql-password-change-via-unescaped-username
Scores
CVSS v3
8.8
EPSS
0.0026
EPSS Percentile
17.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (3)
nationalsecurityagency/ghidra
11.0 - 12.1
nationalsecurityagency/ghidra
12.1
nsa/ghidra
11.0 - 12.1
Published
Jun 10, 2026
Tracked Since
Jun 10, 2026