CVE-2026-40906

Daily digests

The order_by parameter in ElectricSQL's /v1/shape API doesn't sanitize input, so any authenticated user can inject SQL through crafted ORDER BY expressions. This isn't read-only: an attacker can read, write, and delete everything in your PostgreSQL database. If your Electric instance is reachable by untrusted users, your entire database is exposed.

• Daily Digest · Apr 22, 2026

  AVideo CVSS 10 + Firefox DOM bypass, 5 critical fixes