469 matches found
pgAdmin 4: OS command injection vulnerability in Import/Export query export
OS command injection CWE-78 vulnerability in pgAdmin 4 Import/Export query export. User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject " TO PROGRAM 'cmd'" to break out of the \copy ... context and achieve...
pgAdmin 4 File Manager has symbolic-link path traversal
Symbolic-link path traversal CWE-61, CWE-22 in pgAdmin 4 File Manager. checkaccesspermission used os.path.abspath, which resolves '..' but does not resolve symbolic links, while the subsequent kernel write follows symlinks. An authenticated user could plant a symbolic link inside their own storag...
EUVD-2026-29087
Symbolic-link path traversal CWE-61, CWE-22 in pgAdmin 4 File Manager. checkaccesspermission used os.path.abspath, which resolves '..' but does not resolve symbolic links, while the subsequent kernel write follows symlinks. An authenticated user could plant a symbolic link inside their own storag...
EUVD-2026-29083
SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields bufferusagelimit, vacuumparallel, vacuumindexcleanup, reindextablespace were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with th...
jupyter-pgadmin-proxy (>=0.0.1 <=0.0.4) potentially affected by CVE-2026-7819 via pgadmin4 (=9.14.0)
pgadmin4 PYPI version =9.14.0 is affected by a known vulnerability. The following packages have a transitive dependency on pgadmin4 and may be impacted: - jupyter-pgadmin-proxy =0.0.1, =0.0.4 Source cves: CVE-2026-7819 Source advisory: OSV:GHSA-HR4R-FWPV-C95J...
GHSA-HP84-P2GQ-6FVR SQL injection vulnerability in pgAdmin 4 Maintenance Tool
SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields bufferusagelimit, vacuumparallel, vacuumindexcleanup, reindextablespace were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with th...
jupyter-pgadmin-proxy (>=0.0.1 <=0.0.4) potentially affected by CVE-2026-7813 via pgadmin4 (=9.14.0)
pgadmin4 PYPI version =9.14.0 is affected by a known vulnerability. The following packages have a transitive dependency on pgadmin4 and may be impacted: - jupyter-pgadmin-proxy =0.0.1, =0.0.4 Source cves: CVE-2026-7813 Source advisory: OSV:GHSA-H2X2-Q2MC-24GW...
jupyter-pgadmin-proxy (>=0.0.1 <=0.0.4) potentially affected by CVE-2026-7820 via pgadmin4 (=9.14.0)
pgadmin4 PYPI version =9.14.0 is affected by a known vulnerability. The following packages have a transitive dependency on pgadmin4 and may be impacted: - jupyter-pgadmin-proxy =0.0.1, =0.0.4 Source cves: CVE-2026-7820 Source advisory: OSV:GHSA-HV9P-2PQF-R5W3...
jupyter-pgadmin-proxy (>=0.0.1 <=0.0.4) potentially affected by CVE-2026-7817 via pgadmin4 (=9.14.0)
pgadmin4 PYPI version =9.14.0 is affected by a known vulnerability. The following packages have a transitive dependency on pgadmin4 and may be impacted: - jupyter-pgadmin-proxy =0.0.1, =0.0.4 Source cves: CVE-2026-7817 Source advisory: OSV:GHSA-P58C-Q354-6C4F...
jupyter-pgadmin-proxy (>=0.0.1 <=0.0.4) potentially affected by CVE-2026-7816 via pgadmin4 (=9.14.0)
pgadmin4 PYPI version =9.14.0 is affected by a known vulnerability. The following packages have a transitive dependency on pgadmin4 and may be impacted: - jupyter-pgadmin-proxy =0.0.1, =0.0.4 Source cves: CVE-2026-7816 Source advisory: OSV:GHSA-J74F-G7VX-FH4X...
GHSA-H2X2-Q2MC-24GW pgAdmin 4 server mode has an authorization vulnerability affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules
Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could access another user's...
GHSA-HV9P-2PQF-R5W3 pgAdmin 4: Improper restriction of excessive authentication attempts
Improper restriction of excessive authentication attempts CWE-307 in pgAdmin 4. pgAdmin enforces MAXLOGINATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.initapp and is reachable on every server, never...
jupyter-pgadmin-proxy (>=0.0.1 <=0.0.4) potentially affected by CVE-2026-7818 via pgadmin4 (=9.14.0)
pgadmin4 PYPI version =9.14.0 is affected by a known vulnerability. The following packages have a transitive dependency on pgadmin4 and may be impacted: - jupyter-pgadmin-proxy =0.0.1, =0.0.4 Source cves: CVE-2026-7818 Source advisory: OSV:GHSA-4RHG-H8F2-V4JM...
EUVD-2026-29084
OS command injection CWE-78 vulnerability in pgAdmin 4 Import/Export query export. User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject " TO PROGRAM 'cmd'" to break out of the \copy ... context and achieve...
pgAdmin 4 contains local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities
Local file inclusion LFI and server-side request forgery SSRF vulnerabilities in pgAdmin 4 LLM API configuration endpoints. User-supplied apikeyfile and apiurl preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by...
SQL injection vulnerability in pgAdmin 4 Maintenance Tool
SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields bufferusagelimit, vacuumparallel, vacuumindexcleanup, reindextablespace were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with th...
pgAdmin 4 server mode has an authorization vulnerability affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules
Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could access another user's...
Directory Traversal
Overview pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Directory Traversal via the apikeyfile and apiurl preferences in the LLM API configuration endpoints. An attacker can access arbitrary files on the server or induce the server to make requests to internal...
CVE-2026-7819
Symbolic-link path traversal CWE-61, CWE-22 in pgAdmin 4 File Manager. checkaccesspermission used os.path.abspath, which resolves '..' but does not resolve symbolic links, while the subsequent kernel write follows symlinks. An authenticated user could plant a symbolic link inside their own storag...
CVE-2026-7820
Improper restriction of excessive authentication attempts CWE-307 in pgAdmin 4. pgAdmin enforces MAXLOGINATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.initapp and is reachable on every server, never...