Which versions of pgAdmin 4 are affected by CVE-2026-7816?

pgAdmin 4 versions before 9.15 contain a remote code execution vulnerability that allows authenticated users with low-privilege access to execute arbitrary operating system commands on the pgAdmin…. A patch is available.

pgAdmin 4 CVE-2026-7816

Q: What is the CVSS score of CVE-2026-7816?

CVE-2026-7816 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

EUVD-2026-29084 HIGH

SQL Injection (CWE-89)

2026-05-11 PostgreSQL

GHSA-j74f-g7vx-fh4x

SQLi Command Injection

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 11, 2026 - 17:17 EUVD

Re-analysis Queued

May 11, 2026 - 16:22 vuln.today

cvss_changed

CVSS changed

May 11, 2026 - 16:22 NVD

8.8 (HIGH) 8.7 (HIGH)

Analysis Generated

May 11, 2026 - 15:46 vuln.today

CVE Published

May 11, 2026 - 14:35 nvd

HIGH 8.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 pypi packages depend on pgadmin4 (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 9.15.

DescriptionNVD

OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export.

User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable.

Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks.

This issue affects pgAdmin 4: before 9.15.

AnalysisAI

Authenticated remote code execution in pgAdmin 4 versions before 9.15 allows low-privilege users to execute arbitrary OS commands on the pgAdmin server via unsanitized input in the Import/Export query export feature. Attackers inject malicious payloads into psql \copy metacommand templates to break out of the query context and invoke PROGRAM directives or write arbitrary files. …

RemediationAI

Within 24 hours: Identify all pgAdmin 4 instances in your environment and confirm versions (run 'pgAdmin --version' or check Settings > About). Within 7 days: If running versions before 9.15, implement network-level access controls restricting pgAdmin to administrative users only and disable the Import/Export query feature via pgAdmin configuration. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Vendor StatusVendor

CVE-2026-7816 vulnerability details – vuln.today

Back

pgAdmin 4 CVE-2026-7816

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Vendor StatusVendor

Share

pgAdmin 4 CVE-2026-7816

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Vendor StatusVendor

Share

External POC / Exploit Code