The PostgreSQL JDBC team have released 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, and 42.2.28.jre7 to address a security issue: CVE-2024-1597. (Note there is no fix for 42.2.26.jre6 see the advisory for workarounds)
SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value.
There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted.
See the security advisory for the details. Thanks to Paul Gerste for finding and reporting the issue.