Pgadmin 4
Monthly
Open redirect in pgAdmin 4's MFA validate and register endpoints allows network-accessible attackers to abuse the authentication flow as a phishing launchpad. Affected versions 6.0 through 9.15 pass the user-supplied 'next' query and form parameter directly to Flask's redirect response without verifying the target is same-origin, meaning a crafted URL such as /mfa/validate?next=https://attacker.example/fake-login silently forwards the victim from a trusted pgAdmin URL to an attacker-controlled site. No public exploit is identified at time of analysis and this CVE is not listed in CISA KEV; however, a reporter-supplied PoC was confirmed by the vendor and is documented in the upstream regression test suite.
Stored cross-site scripting in pgAdmin 4 versions 6.0 through 9.15 allows a malicious or attacker-influenced PostgreSQL server to inject arbitrary HTML into pgAdmin's interface via ErrorResponse messages and EXPLAIN plan fields rendered through html-react-parser. Because the injection executes inside pgAdmin's own DOM, an attacker can render convincing phishing dialogs or redirect the top-level tab via iframe srcdoc, bypassing standard X-Frame-Options and frame-ancestors protections. No public exploit identified at time of analysis, but the vendor has shipped a multi-layer fix in 9.16.
HTML injection in pgAdmin 4's Cloud Wizard (versions 6.6 through 9.15.x) allows authenticated users to embed arbitrary HTML into the tool's DOM by exploiting unescaped AWS, Azure, and Google Cloud SDK exception text propagated into JSON response fields and parsed by html-react-parser. The primary impact is self-targeted DOM manipulation - the authenticated user who submits the crafted payload is the one who sees it rendered - with escalation to cross-user exploitation requiring an additional CSRF primitive to forge a valid X-pgA-CSRFToken in a victim's browser. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, consistent with its CVSS 4.0 Medium rating of 4.8.
Remote unauthenticated access to two SQL Editor endpoints in pgAdmin 4 server-mode deployments (versions 6.9 through 9.15) exposes a pickle.loads sink that can be reached without a valid pgAdmin session. The defect is the missing @pga_login_required decorator on DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did>; turning this into code execution additionally requires an attacker to possess the Flask SECRET_KEY and write access to the sessions/ directory from a separate channel. No public exploit identified at time of analysis, and the issue does not appear on CISA KEV.
Remote SQL injection via prompt injection in pgAdmin 4 versions 9.13 through 9.15 allows attackers who can write content into database objects the AI Assistant inspects to bypass the read-only transaction wrapper and execute arbitrary SQL with the pgAdmin user's database role. When that role is a PostgreSQL superuser or holds pg_execute_server_program, the chain escalates to remote code execution on the database host via COPY ... TO PROGRAM. No public exploit identified at time of analysis; CVSS 4.0 base score is 9.4 (Critical) and an upstream fix is available.
{gid}/{sid}) permits a low-privilege authenticated user with an active PostgreSQL session to inject additional SQL statements by exploiting unsafe str.format() interpolation of the user-supplied 'value' field. Affected versions span pgAdmin 4 from 1.0 through 9.15; a patch was released in version 9.16. The injected SQL executes only under the authenticated user's existing database role, so no privilege boundary is crossed - the principal risk is bypass of application-layer controls that restrict the Query Tool while leaving the restore-point endpoint accessible. No public exploit or active exploitation confirmed at time of analysis.
SQL injection in pgAdmin 4 versions 1.0 through 9.15 allows an authenticated user with object-modification rights to inject SQL via the description field of Domain, Domain Constraint, Foreign Table, Language, Event Trigger, and View dialogs, where Jinja templates wrapped the value in single quotes instead of passing it through the qtLiteral escape filter. Sixteen template sites plus ten related pgstattuple/pgstatindex identifier sinks share the defect; injected SQL executes as the connected PostgreSQL role, and if that role can use COPY ... TO/FROM PROGRAM it pivots to OS command execution on the database host. No public exploit identified at time of analysis, and the vendor notes the bug does not cross a privilege boundary since the same user already has direct SQL access via the Query Tool.
Symbolic link path traversal in pgAdmin 4 File Manager allows authenticated users to write arbitrary files on the server filesystem. Attackers with valid credentials can plant symlinks in their storage directory pointing outside it, bypassing access controls to overwrite critical system files or application configurations with pgAdmin process privileges. The vulnerability combines CWE-61 (symlink following) with a time-of-check-time-of-use race condition. Affects all pgAdmin 4 versions before 9.15. No active exploitation confirmed (not in CISA KEV), but exploit is straightforward for authenticated attackers given the detailed fix description published by PostgreSQL project.
Authenticated users in pgAdmin 4 before version 9.15 can read arbitrary server-side files or trigger server-side request forgery (SSRF) attacks via unvalidated LLM API configuration endpoints. The vulnerabilities exist in the chat and model-list endpoints where user-supplied api_key_file and api_url parameters are passed directly to LLM provider clients without sanitization, enabling attackers to exfiltrate sensitive files (database credentials, private keys) readable by the pgAdmin process or coerce internal requests to cloud metadata services and private infrastructure.
Authenticated remote code execution in pgAdmin 4 versions before 9.15 allows low-privilege users to execute arbitrary OS commands on the pgAdmin server via unsanitized input in the Import/Export query export feature. Attackers inject malicious payloads into psql \copy metacommand templates to break out of the query context and invoke PROGRAM directives or write arbitrary files. No public exploit code identified at time of analysis, but exploitation requires only low-privilege authenticated access with no user interaction (CVSS AV:N/AC:L/PR:L/UI:N). EPSS data not provided; KEV status not confirmed.
Authorization bypass and privilege escalation in pgAdmin 4 server mode allows authenticated users to access other users' private database servers, credentials, and background processes by guessing object IDs. Attackers can execute arbitrary shell commands as the server owner by modifying the passexec_cmd field through unprotected API endpoints. The vulnerability combines horizontal privilege escalation (accessing peer users' objects), vertical escalation (executing commands as owner), and credential theft (SSL keys, passfiles). No public exploit code identified at time of analysis, but exploitation requires only low-privilege authentication with no user interaction (CVSS PR:L/UI:N). EPSS data not provided; CISA KEV status not confirmed.
Command execution in pgAdmin 4 server mode allows authenticated attackers to bypass restore operation restrictions by extracting the restrict key during PLAIN-format dump file operations and injecting malicious payloads to re-enable meta-commands. An attacker with web interface access can race the restore process in real time to achieve reliable code execution on the pgAdmin host. No patch is currently available for this vulnerability.
pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username, causing the DC/LDAP server and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. Rated high severity (CVSS 7.9), this vulnerability is remotely exploitable. No vendor patch available.
pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoints. The query_commited and high_availability parameters are passed directly to Python's eval() function, allowing authenticated users to execute arbitrary Python code on the pgAdmin server.
Open redirect in pgAdmin 4's MFA validate and register endpoints allows network-accessible attackers to abuse the authentication flow as a phishing launchpad. Affected versions 6.0 through 9.15 pass the user-supplied 'next' query and form parameter directly to Flask's redirect response without verifying the target is same-origin, meaning a crafted URL such as /mfa/validate?next=https://attacker.example/fake-login silently forwards the victim from a trusted pgAdmin URL to an attacker-controlled site. No public exploit is identified at time of analysis and this CVE is not listed in CISA KEV; however, a reporter-supplied PoC was confirmed by the vendor and is documented in the upstream regression test suite.
Stored cross-site scripting in pgAdmin 4 versions 6.0 through 9.15 allows a malicious or attacker-influenced PostgreSQL server to inject arbitrary HTML into pgAdmin's interface via ErrorResponse messages and EXPLAIN plan fields rendered through html-react-parser. Because the injection executes inside pgAdmin's own DOM, an attacker can render convincing phishing dialogs or redirect the top-level tab via iframe srcdoc, bypassing standard X-Frame-Options and frame-ancestors protections. No public exploit identified at time of analysis, but the vendor has shipped a multi-layer fix in 9.16.
HTML injection in pgAdmin 4's Cloud Wizard (versions 6.6 through 9.15.x) allows authenticated users to embed arbitrary HTML into the tool's DOM by exploiting unescaped AWS, Azure, and Google Cloud SDK exception text propagated into JSON response fields and parsed by html-react-parser. The primary impact is self-targeted DOM manipulation - the authenticated user who submits the crafted payload is the one who sees it rendered - with escalation to cross-user exploitation requiring an additional CSRF primitive to forge a valid X-pgA-CSRFToken in a victim's browser. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, consistent with its CVSS 4.0 Medium rating of 4.8.
Remote unauthenticated access to two SQL Editor endpoints in pgAdmin 4 server-mode deployments (versions 6.9 through 9.15) exposes a pickle.loads sink that can be reached without a valid pgAdmin session. The defect is the missing @pga_login_required decorator on DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did>; turning this into code execution additionally requires an attacker to possess the Flask SECRET_KEY and write access to the sessions/ directory from a separate channel. No public exploit identified at time of analysis, and the issue does not appear on CISA KEV.
Remote SQL injection via prompt injection in pgAdmin 4 versions 9.13 through 9.15 allows attackers who can write content into database objects the AI Assistant inspects to bypass the read-only transaction wrapper and execute arbitrary SQL with the pgAdmin user's database role. When that role is a PostgreSQL superuser or holds pg_execute_server_program, the chain escalates to remote code execution on the database host via COPY ... TO PROGRAM. No public exploit identified at time of analysis; CVSS 4.0 base score is 9.4 (Critical) and an upstream fix is available.
{gid}/{sid}) permits a low-privilege authenticated user with an active PostgreSQL session to inject additional SQL statements by exploiting unsafe str.format() interpolation of the user-supplied 'value' field. Affected versions span pgAdmin 4 from 1.0 through 9.15; a patch was released in version 9.16. The injected SQL executes only under the authenticated user's existing database role, so no privilege boundary is crossed - the principal risk is bypass of application-layer controls that restrict the Query Tool while leaving the restore-point endpoint accessible. No public exploit or active exploitation confirmed at time of analysis.
SQL injection in pgAdmin 4 versions 1.0 through 9.15 allows an authenticated user with object-modification rights to inject SQL via the description field of Domain, Domain Constraint, Foreign Table, Language, Event Trigger, and View dialogs, where Jinja templates wrapped the value in single quotes instead of passing it through the qtLiteral escape filter. Sixteen template sites plus ten related pgstattuple/pgstatindex identifier sinks share the defect; injected SQL executes as the connected PostgreSQL role, and if that role can use COPY ... TO/FROM PROGRAM it pivots to OS command execution on the database host. No public exploit identified at time of analysis, and the vendor notes the bug does not cross a privilege boundary since the same user already has direct SQL access via the Query Tool.
Symbolic link path traversal in pgAdmin 4 File Manager allows authenticated users to write arbitrary files on the server filesystem. Attackers with valid credentials can plant symlinks in their storage directory pointing outside it, bypassing access controls to overwrite critical system files or application configurations with pgAdmin process privileges. The vulnerability combines CWE-61 (symlink following) with a time-of-check-time-of-use race condition. Affects all pgAdmin 4 versions before 9.15. No active exploitation confirmed (not in CISA KEV), but exploit is straightforward for authenticated attackers given the detailed fix description published by PostgreSQL project.
Authenticated users in pgAdmin 4 before version 9.15 can read arbitrary server-side files or trigger server-side request forgery (SSRF) attacks via unvalidated LLM API configuration endpoints. The vulnerabilities exist in the chat and model-list endpoints where user-supplied api_key_file and api_url parameters are passed directly to LLM provider clients without sanitization, enabling attackers to exfiltrate sensitive files (database credentials, private keys) readable by the pgAdmin process or coerce internal requests to cloud metadata services and private infrastructure.
Authenticated remote code execution in pgAdmin 4 versions before 9.15 allows low-privilege users to execute arbitrary OS commands on the pgAdmin server via unsanitized input in the Import/Export query export feature. Attackers inject malicious payloads into psql \copy metacommand templates to break out of the query context and invoke PROGRAM directives or write arbitrary files. No public exploit code identified at time of analysis, but exploitation requires only low-privilege authenticated access with no user interaction (CVSS AV:N/AC:L/PR:L/UI:N). EPSS data not provided; KEV status not confirmed.
Authorization bypass and privilege escalation in pgAdmin 4 server mode allows authenticated users to access other users' private database servers, credentials, and background processes by guessing object IDs. Attackers can execute arbitrary shell commands as the server owner by modifying the passexec_cmd field through unprotected API endpoints. The vulnerability combines horizontal privilege escalation (accessing peer users' objects), vertical escalation (executing commands as owner), and credential theft (SSL keys, passfiles). No public exploit code identified at time of analysis, but exploitation requires only low-privilege authentication with no user interaction (CVSS PR:L/UI:N). EPSS data not provided; CISA KEV status not confirmed.
Command execution in pgAdmin 4 server mode allows authenticated attackers to bypass restore operation restrictions by extracting the restrict key during PLAIN-format dump file operations and injecting malicious payloads to re-enable meta-commands. An attacker with web interface access can race the restore process in real time to achieve reliable code execution on the pgAdmin host. No patch is currently available for this vulnerability.
pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username, causing the DC/LDAP server and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. Rated high severity (CVSS 7.9), this vulnerability is remotely exploitable. No vendor patch available.
pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoints. The query_commited and high_availability parameters are passed directly to Python's eval() function, allowing authenticated users to execute arbitrary Python code on the pgAdmin server.