GORM PostgreSQL Driver v1.5.7 Exposes Critical 9.8 CVSS Vulnerability in Pgx Dependency

A critical security flaw has been identified in the widely-used GORM PostgreSQL driver, exposing applications to a severe remote code execution risk. The vulnerability, tracked as CVE-2026-33815, carries a maximum CVSS score of 9.8 and originates not from GORM itself, but from its transitive dependency on the `github.com/jackc/pgx/v5` library. This high-severity issue is currently marked with no available fix within the `gorm.io/driver/postgres-v1.5.7` version, leaving a direct remediation path blocked for developers relying on this specific release.

The vulnerability report details six total security issues within the driver's dependency chain, with the critical CVE-2026-33815 being the most severe. The flaw is classified as a transitive vulnerability, meaning it is introduced through an indirect library (`pgx/v5-v5.4.3`) that GORM depends on. This structure complicates patching, as developers cannot simply update the GORM driver package to resolve the underlying risk in the pgx component. The report indicates remediation is not currently possible through a standard version upgrade for this specific driver release.

This situation places significant pressure on development teams using GORM for database operations in Go applications. The lack of an immediate fix within the driver's versioning scheme forces teams to seek alternative mitigation strategies, potentially requiring dependency overrides, manual patching of the pgx library, or a shift to different driver versions or database connectors altogether. The presence of multiple other vulnerabilities alongside the critical one amplifies the security scrutiny on this essential component of the Go ecosystem's data layer.