Cyber Resilience

CVE-2026-33816

CriticalUpdated

Published: 07 April 2026

Published
07 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0038 29.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33816 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Jackc Pgx. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33816 is a memory-safety vulnerability in the github.com/jackc/pgx/v5 Go package. Published on 2026-04-07T16:16:24.920, it carries a CVSS v3.1 base score of 9.8 and is associated with CWE category NVD-CWE-noinfo.

The vulnerability enables exploitation over the network with low complexity, requiring no privileges, no user interaction, and no change in scope (AV:N/AC:L/PR:N/UI:N/S:U). A successful attack can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution or system compromise in affected applications using the pgx/v5 driver.

Mitigation guidance is provided in the Go security advisory GO-2026-4772, available at https://pkg.go.dev/vuln/GO-2026-4772.

EU & UK References

Vulnerability details

Memory-safety vulnerability in github.com/jackc/pgx/v5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The memory-safety vulnerability in the pgx/v5 library enables remote, unauthenticated exploitation leading to arbitrary code execution and system compromise in affected applications, directly mapping to T1190 for exploiting public-facing applications over the network.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33815Same product: Jackc Pgx
CVE-2026-32286Same vendor: Jackc

Affected Assets

jackc
pgx
≤ 5.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of the memory-safety flaw in the pgx/v5 package to prevent exploitation of CVE-2026-33816.

detect

Vulnerability scanning detects applications using the vulnerable pgx/v5 Go package affected by CVE-2026-33816.

prevent

System memory protections such as DEP and ASLR mitigate successful remote code execution from the memory-safety vulnerability in pgx/v5.

References