CVE-2026-33816
Published: 07 April 2026
Summary
CVE-2026-33816 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Jackc Pgx. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-33816 is a memory-safety vulnerability in the github.com/jackc/pgx/v5 Go package. Published on 2026-04-07T16:16:24.920, it carries a CVSS v3.1 base score of 9.8 and is associated with CWE category NVD-CWE-noinfo.
The vulnerability enables exploitation over the network with low complexity, requiring no privileges, no user interaction, and no change in scope (AV:N/AC:L/PR:N/UI:N/S:U). A successful attack can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution or system compromise in affected applications using the pgx/v5 driver.
Mitigation guidance is provided in the Go security advisory GO-2026-4772, available at https://pkg.go.dev/vuln/GO-2026-4772.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19709
Vulnerability details
Memory-safety vulnerability in github.com/jackc/pgx/v5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The memory-safety vulnerability in the pgx/v5 library enables remote, unauthenticated exploitation leading to arbitrary code execution and system compromise in affected applications, directly mapping to T1190 for exploiting public-facing applications over the network.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and patching of the memory-safety flaw in the pgx/v5 package to prevent exploitation of CVE-2026-33816.
Vulnerability scanning detects applications using the vulnerable pgx/v5 Go package affected by CVE-2026-33816.
System memory protections such as DEP and ASLR mitigate successful remote code execution from the memory-safety vulnerability in pgx/v5.