How to fix CVE-2025-12762?

Within 7 days: Identify all affected systems running versions and apply vendor patches promptly. Validate that input sanitization is in place for all user-controlled parameters.

Is Pgadmin 4 affected by CVE-2025-12762?

Organizations using versions face critical risk from CVE-2025-12762, a code injection vulnerability rated CVSS 9.1. Successful exploitation could allow attackers to execute arbitrary code or commands on affected systems, potentially leading to full system compromise.

CVE-2025-12762

CRITICAL

2025-11-13 f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 28, 2026 - 19:22 vuln.today

CVE Published

Nov 13, 2025 - 13:15 nvd

CRITICAL 9.1

Description

pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.

Analysis

pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical Context

This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data. Affected products include: Pgadmin Pgadmin 4. Version information: up to 9.9.

Affected Products

Pgadmin Pgadmin 4.

Remediation

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +46

POC: 0

Vendor Status

CVE-2025-12762 vulnerability details – vuln.today

Back

CVE-2025-12762

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-12762

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code