CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

126 matches found

CVE-2026-12044

A flaw was found in pgAdmin 4. An authenticated user with specific permissions could exploit a SQL injection vulnerability by submitting a crafted description field in various dialog templates. This could allow the user to execute arbitrary SQL commands, potentially leading to arbitrary operating...

8.8CVSS6.3AI score

Exploits0References2

RedhatCVE•added 4 days ago•5 views

CVE-2026-12050

A flaw was found in pgAdmin 4. An authenticated user with an active PostgreSQL session could exploit a SQL injection vulnerability in the named restore point endpoint. This allows the user to execute arbitrary SQL statements through an unexpected path. While this does not grant additional...

5.3CVSS6.1AI score

Exploits0References5

RedhatCVE•added 4 days ago•7 views

CVE-2026-12049

A flaw was found in pgAdmin 4. This open redirect vulnerability exists in the multi-factor authentication MFA flow. An authenticated user could be tricked into clicking a specially crafted link, which would redirect them to an attacker-controlled website. This could increase the success rate of...

5.3CVSS5AI score

Exploits0References5

NVD•added 4 days ago•9 views

CVE-2026-12049

Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next= -- a link typically...

5.3CVSS

Exploits0References2

Cvelist•added 5 days ago•34 views

CVE-2026-12048 pgAdmin 4: Stored XSS via untrusted error and plan-node text rendered through html-react-parser

Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server ErrorResponse messages, including object names quoted back inside relation-does-not-exist errors and inside EXPLAIN Recheck Cond / Exact Heap Blocks fields was passed...

9.3CVSS

Exploits0References2

CVE•added 5 days ago•59 views

CVE-2026-12048

CVE-2026-12048 affects pgAdmin 4 (versions 6.0 up to 9.16). Stored XSS occurs when untrusted server-returned text is passed through html-react-parser in multiple user-facing sinks (toasts, dialogs, explain visualiser, SQL editor prompts, etc.), allowing an attacker-controlled PostgreSQL server to...

9.3CVSS5.4AI score

Exploits0References2

CVE•added 5 days ago•64 views

CVE-2026-12046

CVE-2026-12046: pgAdmin 4 exposes unauthenticated deserialization sink in SQL Editor close and update_connection routes (DELETE /sqleditor/close/, POST /sqleditor/initialize/sqleditor/update_connection///). Missing @pga_login_required allows unauthenticated access to pickle.loads on session['grid...

9.5CVSS6.8AI score

Exploits0References2

CVE•added 5 days ago•51 views

CVE-2026-12045

The CVE-2026-12045 affects pgAdmin 4 (from version 9.13 up to before 9.16) and concerns the AI Assistant read-only transaction bypass. A prompt-injection vulnerability allows an attacker who can influence content seen by the AI Assistant to craft LLM-generated SQL payloads that bypass the BEGIN T...

9.4CVSS7AI score

Exploits0References2

Cvelist•added 5 days ago•31 views

CVE-2026-12050 pgAdmin 4: SQL injection in named restore point endpoint

SQL injection in pgAdmin 4's named restore point endpoint POST /browser/server/restorepoint/gid/sid. The user-supplied 'value' field was interpolated directly into the SQL string with str.format instead of being passed as a bound parameter, allowing an authenticated pgAdmin user with a connected...

5.3CVSS

Exploits0References2

Cvelist•added 5 days ago•32 views

CVE-2026-12044 pgAdmin 4: SQL injection in COMMENT ON ... IS '<description>' rendering across dialog templates

SQL injection in pgAdmin 4 across every dialog template that renders COMMENT ON ... IS '' for a user-supplied description field. The Jinja templates for Domains and their constraints, Foreign Tables, Languages, and Event Triggers, plus the Views OID-lookup query, interpolated the description...

8.8CVSS

Exploits0References3

CVE•added 5 days ago•39 views

CVE-2026-12044

CVE-2026-12044 affects pgAdmin 4. An authenticated user with permission to create/alter objects can inject SQL via the description field in templates rendering COMMENT ON ... IS ''. The vulnerability stems from Jinja templates interpolating user-supplied descriptions directly into single-quoted S...

8.8CVSS6AI score

Exploits0References3