Guillaume Winter discovered that pgextwlist, an extension for PostgreSQL implementing a whitelist mechanism for PostgreSQL extensions, was susceptible to SQL injection via crafted schema and user names. For the stable distribution (trixie), this problem has been fixed in version 1.19-1+deb13u1.
July 8, 2026