The PostgreSQL JDBC team have released 42.2.26 and 42.4.1 to address a security issue: CVE-2022-31197. This is only an issue if you are using ResultSet.refreshRow()
Previously, the column names for both key and data columns in the table were copied as-is into the generated SQL. This allowed a malicious table with column names that include statement terminator to be parsed and executed as multiple separate commands. More information about this security advisory is available here
Thanks to Sho Kato https://github.com/kato-sho for finding and reporting the issue
Regards,
pgjdbc team