Lucene search
K

CVE-2026-12047

🗓️ 18 Jun 2026 23:37:39Reported by PostgreSQLType 
cve
 cve
🔗 web.nvd.nist.gov👁 35 Views🌐 WEB

HTML injection in pgAdmin cloud module leaks unsanitised error text into JSON, enabling iframe redirection.

Related
Detection
Affected
Refs
Paths
NVD
Node
pgadminpgadmin_4Range6.69.16postgresql
[
  {
    "vendor": "pgadmin.org",
    "product": "pgAdmin 4",
    "repo": "https://github.com/pgadmin-org/pgadmin4",
    "modules": [
      "Cloud Deployment",
      "Cloud RDS",
      "Cloud Azure",
      "Cloud Google"
    ],
    "programFiles": [
      "https://github.com/pgadmin-org/pgadmin4/blob/master/web/pgadmin/misc/cloud/__init__.py",
      "https://github.com/pgadmin-org/pgadmin4/blob/master/web/pgadmin/misc/cloud/rds/__init__.py",
      "https://github.com/pgadmin-org/pgadmin4/blob/master/web/pgadmin/misc/cloud/azure/__init__.py",
      "https://github.com/pgadmin-org/pgadmin4/blob/master/web/pgadmin/misc/cloud/google/__init__.py",
      "https://github.com/pgadmin-org/pgadmin4/blob/master/web/pgadmin/misc/cloud/static/js/CloudWizard.jsx"
    ],
    "versions": [
      {
        "status": "affected",
        "version": "6.6",
        "lessThan": "9.16",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  }
]
ParameterPositionPathDescriptionCWE
access_keyrequest bodyrds/verify_credentials/HTML/JS injection via unsanitised SDK/exception text propagated to JSON response from rds/verify_credentials.CWE-116CWE-79
cluster_namerequest bodyazure/check_cluster_name_availabilityHTML/JS injection via unsanitised exception text bubbled into responses from Azure cluster name checks.CWE-116CWE-79
credential_inforequest bodygoogle/verification_ackHTML/JS injection through unsanitised exception strings returned by Google SDK paths.CWE-116CWE-79
project_idrequest bodygoogle/projectsHTML/JS injection via unsanitised error text surfaced in Google project-related endpoints.CWE-116CWE-79
region_idrequest bodygoogle/regionsHTML/JS injection via unsanitised error strings in Google region lookups.CWE-116CWE-79
instance_typerequest bodygoogle/instance_typesHTML/JS injection via unsanitised error strings in Google instance type queries.CWE-116CWE-79
version_idrequest bodygoogle/database_versionsHTML/JS injection via unsanitised error strings in Google database version queries.CWE-116CWE-79
access_keyrequest bodygoogle/verify_credentials/HTML/JS injection via unsanitised exception text propagated from Google verify_credentials path.CWE-116CWE-79

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation