What is CVE-2026-6474?

CVE-2026-6474 is a medium-severity vulnerability in Postgresql, classified under Use of Externally-Controlled Format String. CVSS score: 4.3/10. Published 2026-05-14.

How severe is CVE-2026-6474?

Medium severity. CVSS v3 base score is 4.3 out of 10.

Vulnerability in Postgresql

CVE-2026-6474

Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

EPSS: 0.000 (9.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.

Affected products

Postgresql
N/a Postgresql — versions 18, 17, 16

Weakness classification (CWE)

CWE-134 — Use of Externally-Controlled Format String

References

f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 (Patch, Vendor Advisory)

Frequently asked questions

What is CVE-2026-6474?: CVE-2026-6474 is a medium-severity vulnerability in Postgresql, classified under Use of Externally-Controlled Format String. CVSS score: 4.3/10. Published 2026-05-14.
How severe is CVE-2026-6474?: Medium severity. CVSS v3 base score is 4.3 out of 10.