{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-49498: Ghidra 11.0 < 12.1 - SQL Injection in PostgreSQL Password Change via Unescaped Username","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-49498","status":"final","version":"1","initial_release_date":"2026-06-10T12:38:34.069Z","current_release_date":"2026-06-10T13:52:10.788Z","revision_history":[{"date":"2026-06-10T12:38:34.069Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can inject SQL commands via crafted username parameters in PasswordChange network messages to escalate to PostgreSQL superuser privileges and gain full database control.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-49498 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-49498"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-49498"},{"category":"external","summary":"GitHub Security Advisory (GHSA-vv7r-2rhf-5h7g)","url":"https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-vv7r-2rhf-5h7g"},{"category":"external","summary":"vulncheck.com","url":"https://www.vulncheck.com/advisories/ghidra-sql-injection-in-postgresql-password-change-via-unescaped-username"}]},"product_tree":{"branches":[{"category":"vendor","name":"nationalsecurityagency","branches":[{"category":"product_name","name":"ghidra","branches":[{"category":"product_version_range","name":">=11.0 <12.1","product":{"name":"nationalsecurityagency ghidra >=11.0 <12.1","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:nationalsecurityagency:ghidra:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"12.1","product":{"name":"nationalsecurityagency ghidra 12.1","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:nationalsecurityagency:ghidra:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-49498","title":"Ghidra 11.0 < 12.1 - SQL Injection in PostgreSQL Password Change via Unescaped Username","notes":[{"category":"description","text":"Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can inject SQL commands via crafted username parameters in PasswordChange network messages to escalate to PostgreSQL superuser privileges and gain full database control.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"],"fixed":["CSAFPID-2"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","baseScore":8.7,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 12.1.","product_ids":["CSAFPID-1"]}]}]}