PostgreSQL has released security and bug-fix updates across all supported versions: 18.4, 17.10, 16.14, 15.18, and 14.23. The release patches 11 security vulnerabilities, several with CVSS scores of 8.8, including: missing authorization in CREATE TYPE enabling arbitrary SQL execution, integer wraparound causing out-of-bounds writes, symlink following in pg_basebackup and pg_rewind allowing file overwrites, SQL injection in pg_createsubscriber and REFRESH PUBLICATION, stack buffer overflow in the refint module, libpq lo_* functions allowing server superuser to overwrite client stack memory, a timing channel in MD5 password comparison, and uncontrolled recursion in SSL/GSS negotiation. Over 60 additional bugs are fixed. PostgreSQL 14 reaches end-of-life on November 12, 2026. Time zone data is updated to tzdata 2026b.
Sort: