{"api_version":"1","generated_at":"2026-06-04T03:26:51+00:00","cve":"CVE-2026-6474","urls":{"html":"https://cve.report/CVE-2026-6474","api":"https://cve.report/api/cve/CVE-2026-6474.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-6474","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-6474"},"summary":{"title":"PostgreSQL timeofday() can disclose portions of server memory","description":"Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.","state":"PUBLISHED","assigner":"PostgreSQL","published_at":"2026-05-14 14:16:24","updated_at":"2026-05-18 15:00:45"},"problem_types":["CWE-134","CWE-134 Use of Externally-Controlled Format String"],"metrics":[{"version":"3.1","source":"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007","type":"Secondary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","data":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://www.postgresql.org/support/security/CVE-2026-6474/","name":"https://www.postgresql.org/support/security/CVE-2026-6474/","refsource":"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007","tags":["Patch","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-6474","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6474","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"PostgreSQL","version":"affected 18 18.4 rpm","platforms":[]},{"source":"CNA","vendor":"n/a","product":"PostgreSQL","version":"affected 17 17.10 rpm","platforms":[]},{"source":"CNA","vendor":"n/a","product":"PostgreSQL","version":"affected 16 16.14 rpm","platforms":[]},{"source":"CNA","vendor":"n/a","product":"PostgreSQL","version":"affected 15 15.18 rpm","platforms":[]},{"source":"CNA","vendor":"n/a","product":"PostgreSQL","version":"affected 14.23 rpm","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"The PostgreSQL project thanks Xint Code for reporting this problem.","lang":"en"}],"nvd_cpes":[{"cve_year":"2026","cve_id":"6474","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"postgresql","cpe5":"postgresql","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"6474","cve":"CVE-2026-6474","epss":"0.000320000","percentile":"0.096430000","score_date":"2026-05-25","updated_at":"2026-05-26 00:10:59"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-6474","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-05-14T15:30:17.967244Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-05-14T15:30:37.425Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"PostgreSQL","vendor":"n/a","versions":[{"lessThan":"18.4","status":"affected","version":"18","versionType":"rpm"},{"lessThan":"17.10","status":"affected","version":"17","versionType":"rpm"},{"lessThan":"16.14","status":"affected","version":"16","versionType":"rpm"},{"lessThan":"15.18","status":"affected","version":"15","versionType":"rpm"},{"lessThan":"14.23","status":"affected","version":"0","versionType":"rpm"}]}],"credits":[{"lang":"en","value":"The PostgreSQL project thanks Xint Code for reporting this problem."}],"descriptions":[{"lang":"en","value":"Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."}],"metrics":[{"cvssV3_1":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-134","description":"Use of Externally-Controlled Format String","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-14T13:00:10.254Z","orgId":"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007","shortName":"PostgreSQL"},"references":[{"url":"https://www.postgresql.org/support/security/CVE-2026-6474/"}],"title":"PostgreSQL timeofday() can disclose portions of server memory"}},"cveMetadata":{"assignerOrgId":"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007","assignerShortName":"PostgreSQL","cveId":"CVE-2026-6474","datePublished":"2026-05-14T13:00:10.254Z","dateReserved":"2026-04-17T00:36:25.451Z","dateUpdated":"2026-05-14T15:30:37.425Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-14 14:16:24","lastModifiedDate":"2026-05-18 15:00:45","problem_types":["CWE-134","CWE-134 Use of Externally-Controlled Format String"],"metrics":{"cvssMetricV31":[{"source":"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionEndExcluding":"14.23","matchCriteriaId":"C432AE18-DD50-40EB-B46A-9283F30081DA"},{"vulnerable":true,"criteria":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionStartIncluding":"15.0","versionEndExcluding":"15.18","matchCriteriaId":"9D8D994F-ABAB-4AC2-992F-320F4868698D"},{"vulnerable":true,"criteria":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionStartIncluding":"16.0","versionEndExcluding":"16.14","matchCriteriaId":"B58AE3D3-E1C9-45D2-AA92-A3D135B77A8A"},{"vulnerable":true,"criteria":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionStartIncluding":"17.0","versionEndExcluding":"17.10","matchCriteriaId":"A19538E9-DBB9-4396-AC04-17943E82C411"},{"vulnerable":true,"criteria":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionStartIncluding":"18.0","versionEndExcluding":"18.4","matchCriteriaId":"F8DB17ED-67AD-41F2-B272-27AF5B4FA2B0"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"6474","Ordinal":"1","Title":"PostgreSQL timeofday() can disclose portions of server memory","CVE":"CVE-2026-6474","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"6474","Ordinal":"1","NoteData":"Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.","Type":"Description","Title":"PostgreSQL timeofday() can disclose portions of server memory"}]}}}