RUSTSEC-2026-0180

A malicious or compromised server can return a binary hstore value with an invalid internal length field, causing the client to panic while decoding it.

Applications that connect only to a trusted database are not exposed; the risk applies to clients that may connect to untrusted or user-supplied servers, or whose connection can be intercepted by a man-in-the-middle.