← Back to feed
Security patch:
[MODERATE] GHSA-m9p2-fxp5-v3fp: Diesel: Command injection in Diesel's implementation of `COPY FROM`/`COPY TO`
GitHub Security Advisory·Security·SecurityFix·5/19/2026
Diesel allows users to configure various options for PostgreSQL's `COPY FROM` and `COPY TO` statements. These configurations are partially provided as strings or characters. Diesel did not check if any these user-provided options contain a quote character `'`, which can lead to the injection of ad
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
dieselpostgres
View original source ↗Source payload preview
{
"ghsaId": "GHSA-m9p2-fxp5-v3fp",
"summary": "Diesel: Command injection in Diesel's implementation of `COPY FROM`/`COPY TO`",
"severity": "MODERATE",
"updatedAt": "2026-05-19T19:42:04Z",
"references": [
{
"url": "https://github.com/diesel-rs/diesel/pull/5042"
},
{
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0136.html"
},
{
"url": "https://github.com/advisories/GHSA-m9p2-fxp5-v3fp"
}
],
"description": "Diesel allows users to configure various options for PostgreSQL's `COPY FROM` and `COPY TO` statements. These configurations are partially provided as strings or characters. \n\nDiesel did not check if any these user-provided options contain a quote character `'`, which can lead to the injection of additional options in the curr
…