The PostgreSQL JDBC team have released 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, and 42.2.28.jre7 to address a security issue: [CVE-2024-1597](https://www.cve.org/CVERecord?id=CVE-2024-1597). (Note there is no fix for 42.2.26.jre6 see the advisory for workarounds)
SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value. There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted. See the [security advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56) for the details. Thanks to [Paul Gerste](https://github.com/paul-gerste-sonarsource) for finding and reporting the issue.
