CVEInsight.

Free vulnerability intelligence for developers, security teams, and researchers. Data sourced from public databases for informational purposes only.

Explore

Legal

CVE data sourced from NVD / NIST & public disclosures.

Search Vulnerabilities

Software

Searching vulnerabilities affecting “pgbouncer”

4 vulnerabilities found for “pgbouncer”

CVE-2025-12819

HIGH7.5

Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.

pgbouncer / pgbouncer

Network

Published Dec 3, 2025

CVE-2025-2291

HIGH8.1

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password

pgbouncer / pgbouncer+1

Network

Published Apr 16, 2025

CVE-2021-3672

MEDIUM5.6

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

c-ares_project / c-ares+34

Network

Published Nov 23, 2021

CVE-2021-3935

HIGH8.1

When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. This flaw affects PgBouncer versions prior to 1.16.1.

pgbouncer / pgbouncer+3

Network

Published Nov 22, 2021