Lucene search
K

132 matches found

OSV
OSV
added 2026/06/29 11:50 a.m.7 views

PYSEC-2026-454 pgAdmin4 vulnerable to Remote Code Execution (RCE) when running in server mode

pgAdmin versions up to 9.9 are affected by a Remote Code Execution RCE vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical...

9.1CVSS6.5AI score0.12217EPSS
Exploits1References6
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-451 pgAdmin 4 Vulnerable to Remote Code Execution

Remote Code Execution security vulnerability in pgAdmin 4 Query Tool and Cloud Deployment modules. The vulnerability is associated with the 2 POST endpoints; /sqleditor/querytool/download, where the querycommited parameter and /cloud/deploy endpoint, where the highavailability parameter is unsafe...

9.9CVSS6.2AI score0.46222EPSS
Exploits7References6
Tenable Nessus
Tenable Nessus
added 2026/06/28 12:0 a.m.8 views

Fedora 43 : pgadmin4 (2026-5938be3b09)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-5938be3b09 advisory. Update to pgadmin-9.16. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

9.5CVSS5.8AI score0.0071EPSS
Exploits0References8
Tenable Nessus
Tenable Nessus
added 2026/06/28 12:0 a.m.6 views

Fedora 44 : pgadmin4 (2026-c248414214)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-c248414214 advisory. Update to pgadmin-9.16. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

9.5CVSS5.8AI score0.0071EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/06/19 3:49 a.m.7 views

CVE-2026-12044

A flaw was found in pgAdmin 4. An authenticated user with specific permissions could exploit a SQL injection vulnerability by submitting a crafted description field in various dialog templates. This could allow the user to execute arbitrary SQL commands, potentially leading to arbitrary operating...

8.8CVSS6.3AI score0.00489EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/19 3:39 a.m.8 views

CVE-2026-12050

A flaw was found in pgAdmin 4. An authenticated user with an active PostgreSQL session could exploit a SQL injection vulnerability in the named restore point endpoint. This allows the user to execute arbitrary SQL statements through an unexpected path. While this does not grant additional...

8.8CVSS6.1AI score0.00245EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/19 3:29 a.m.9 views

CVE-2026-12049

A flaw was found in pgAdmin 4. This open redirect vulnerability exists in the multi-factor authentication MFA flow. An authenticated user could be tricked into clicking a specially crafted link, which would redirect them to an attacker-controlled website. This could increase the success rate of...

6.1CVSS5AI score0.00218EPSS
Exploits0References5
NVD
NVD
added 2026/06/19 12:16 a.m.10 views

CVE-2026-12049

Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next= -- a link typically...

6.1CVSS0.00218EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/18 11:37 p.m.37 views

CVE-2026-12048 pgAdmin 4: Stored XSS via untrusted error and plan-node text rendered through html-react-parser

Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server ErrorResponse messages, including object names quoted back inside relation-does-not-exist errors and inside EXPLAIN Recheck Cond / Exact Heap Blocks fields was passed...

9.3CVSS0.0021EPSS
Exploits0References2
CVE
CVE
added 2026/06/18 11:37 p.m.80 views

CVE-2026-12048

CVE-2026-12048 affects pgAdmin 4 (versions 6.0 up to 9.16). Stored XSS occurs when untrusted server-returned text is passed through html-react-parser in multiple user-facing sinks (toasts, dialogs, explain visualiser, SQL editor prompts, etc.), allowing an attacker-controlled PostgreSQL server to...

9.3CVSS5.4AI score0.0021EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/18 11:37 p.m.6 views

CVE-2026-12047

HTML injection in pgAdmin 4's cloud deployment module. The verifycredentials, deploy, regions, and update-server endpoints under /rds/, /azure/, /google/, and the top-level /cloud/ blueprint propagated AWS / Azure / Google SDK exception text — and the related file-resolution and database-commit...

4.8CVSS5.2AI score0.00137EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/06/18 11:37 p.m.99 views

CVE-2026-12046

CVE-2026-12046: pgAdmin 4 exposes unauthenticated deserialization sink in SQL Editor close and update_connection routes (DELETE /sqleditor/close/, POST /sqleditor/initialize/sqleditor/update_connection///). Missing @pga_login_required allows unauthenticated access to pickle.loads on session['grid...

9.5CVSS6.8AI score0.0071EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/18 11:37 p.m.89 views

CVE-2026-12045

The CVE-2026-12045 affects pgAdmin 4 (from version 9.13 up to before 9.16) and concerns the AI Assistant read-only transaction bypass. A prompt-injection vulnerability allows an attacker who can influence content seen by the AI Assistant to craft LLM-generated SQL payloads that bypass the BEGIN T...

9.4CVSS7AI score0.00482EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/18 11:37 p.m.33 views

CVE-2026-12050 pgAdmin 4: SQL injection in named restore point endpoint

SQL injection in pgAdmin 4's named restore point endpoint POST /browser/server/restorepoint/gid/sid. The user-supplied 'value' field was interpolated directly into the SQL string with str.format instead of being passed as a bound parameter, allowing an authenticated pgAdmin user with a connected...

5.3CVSS0.00245EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/18 11:37 p.m.36 views

CVE-2026-12044 pgAdmin 4: SQL injection in COMMENT ON ... IS '<description>' rendering across dialog templates

SQL injection in pgAdmin 4 across every dialog template that renders COMMENT ON ... IS '' for a user-supplied description field. The Jinja templates for Domains and their constraints, Foreign Tables, Languages, and Event Triggers, plus the Views OID-lookup query, interpolated the description...

8.8CVSS0.00489EPSS
Exploits0References3
CVE
CVE
added 2026/06/18 11:37 p.m.60 views

CVE-2026-12044

CVE-2026-12044 affects pgAdmin 4. An authenticated user with permission to create/alter objects can inject SQL via the description field in templates rendering COMMENT ON ... IS ''. The vulnerability stems from Jinja templates interpolating user-supplied descriptions directly into single-quoted S...

8.8CVSS6AI score0.00489EPSS
Exploits0References3Affected Software1
Chainguard
Chainguard
added 2026/05/27 7:18 a.m.12 views

GHSA-HV9P-2PQF-R5W3 vulnerabilities

Vulnerabilities for packages: pgadmin4...

5.8AI score
Exploits0
Chainguard
Chainguard
added 2026/05/27 7:18 a.m.13 views

CVE-2026-7820 vulnerabilities

Vulnerabilities for packages: pgadmin4...

6.9CVSS5.8AI score0.00211EPSS
Exploits0
Chainguard
Chainguard
added 2026/05/27 7:18 a.m.14 views

CVE-2026-7819 vulnerabilities

Vulnerabilities for packages: pgadmin4...

8.1CVSS5.8AI score0.00359EPSS
Exploits0
Chainguard
Chainguard
added 2026/05/27 1:18 a.m.10 views

GHSA-P58C-Q354-6C4F vulnerabilities

Vulnerabilities for packages: pgadmin4...

5.8AI score
Exploits0
Rows per page
Query Builder