CVE-2026-49498 HIGH

CVE-2026-49498: Ghidra 11.0 < 12.1 - SQL Injection in PostgreSQL Password Change via Unescaped Username

Vendor Nationalsecurityagency

Product ghidra

Weakness CWE-89 · SQLi

Published June 10, 2026

Last update June 10, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can inject SQL commands via crafted username parameters in PasswordChange network messages to escalate to PostgreSQL superuser privileges and gain full database control.

Key dates

02Disclosure timeline

June 10, 2026 CVE published

June 10, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-49498

Related vulnerabilities

CVE-2026-49498: Ghidra 11.0 < 12.1 - SQL Injection in PostgreSQL Password Change via Unescaped Username

01Description

02Disclosure timeline

03References

04Related CVE