CRITICALVulnerability
Verified
Global

NVD CRITICAL: CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strl...

·Source: NIST NVD

Updated:

Executive Summary

The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow.

Analysis

The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow. CVSS Score: 8.1. Published: 2026-05-09T01:16:09.013.

Indicators of Compromise (1)

CVE (1)
CVE-2026-6665
NVDMITRE CVE
Source Attribution

Originally published by NIST NVD on May 9, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerability

Colorado governor commutes prison sentence for election denier Tina Peters

Peters was sentenced to nine years for stealing voting data and has been publicly unrepentant. But Colorado Governor Jared Polis has been hinting at the decision for months. The post Colorado governor commutes prison sentence for election denier Tina Peters appeared first on CyberScoop .

CyberScoop
MEDIUMVulnerability

More than $10 million stolen from crypto platform THORChain

THORChain officials said the investigation into the incident is ongoing but explained that one of their six vaults was compromised, leading to a loss of about $10.7 million.

The Record
CRITICALVulnerability

Funnel Builder WordPress plugin bug exploited to steal credit cards

A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript snippets into WooCommerce checkout pages. [...]

BleepingComputer