CVE-2023-5002

CVE-2023-5002 affects pgAdmin’s server HTTP API where path validation for external PostgreSQL utilities (e.g., pg_dump/pg_restore) was insufficient. An authenticated user could cause the server to execute arbitrary commands due to improper control of server-side code. Reports across multiple sour...

CVE-2025-2945

CVE-2025-2945 affects pgAdmin 4 (versions 8.10–9.1). An authenticated user can trigger remote code execution by sending a crafted payload via the query_tool/download (query_commited) or cloud/deploy (high_availability) endpoints, which unsafe-pass data to Python eval(). Proofs of concept exist (a...

CVE-2023-0241

pgAdmin 4 contains a directory traversal vulnerability in versions prior to v6.19. The flaw could allow a user to change another user’s settings or alter the database. Multiple sources corroborate the issue (CVE-2023-0241) and note remediation via updates; open advisories reference a fixed releas...

CVE-2022-4223

CVE-2022-4223 describes a remote code execution vulnerability in pgAdmin that affects versions prior to 6.17. An insecure HTTP API allows an unauthenticated user to pass a manipulated path (e.g., a UNC path) to the server, which could lead to the execution of an arbitrary executable on the pgAdmi...

CVE-2024-9014

pgAdmin 4 (versions ≤ 8.11) is affected by CVE-2024-9014 due to an OAuth2 authentication flaw that can expose OAuth2_CLIENT_ID and OAuth2_CLIENT_SECRET from the login/config, enabling unauthorized access to user data. The Nuclei template confirms an authentication bypass/vector leading to credent...

CVE-2024-2044

CVE-2024-2044 affects pgAdmin4

CVE-2022-0959

CVE-2022-0959 affects pgAdmin4: a malicious, authenticated user can craft an HTTP request using an existing CSRF token and session cookie to upload files to any location writable by the OS user running pgAdmin. The root cause is an unrestricted file upload path that permits writes outside intende...

CVE-2024-4216

CVE-2024-4216 affects pgAdmin <= 8.5 with an XSS in the /settings/store API response JSON payload, allowing an attacker to execute malicious script on the client side. The vulnerability is described with CVSS metrics indicating a remotely exploitable issue with low user interaction in the NVD ...

CVE-2024-4215

CVE-2024-4215 concerns pgAdmin4. Affected: pgadmin4 (ld

CVE-2025-12762

CVE-2025-12762 affects pgAdmin 4 up to v9.9 when running in server mode and performing restores from PLAIN-format dumps, enabling remote code execution via injected commands on the host. Public advisories and Nessus/GHSA entries confirm this is a critical RCE with network access, low complexity, ...

CVE-2024-6238

Summary: CVE-2024-6238 affects pgAdmin versions up to 8.8 and is due to an installation directory permissions issue on Debian/RHEL 8, potentially allowing attackers to gain unauthorized access to the installation directory. The NVD/CNA data indicate a mix of impact metrics, including confidential...

CVE-2026-7818

CVE-2026-7818 affects pgAdmin 4: Unsafe deserialization in FileBackedSessionManager allows an authenticated user with write access to the sessions directory to craft a payload that could lead to operating-system level remote code execution under the pgAdmin process identity. The root cause is des...

CVE-2026-7813

pgAdmin 4 server mode CVE-2026-7813 enables cross-user data access and privilege escalation in Shared Servers. An authenticated user could enumerate object IDs to fetch another user’s private servers, server groups, background processes, and debugger arguments due to lacking user-scoped access co...

CVE-2025-12765

Summary of the CVE: CVE-2025-12765 affects pgAdmin4 (noted in multiple advisories) with a flaw in the LDAP authentication flow that allows bypassing TLS certificate validation. The SUSE/OpenSUSE entries and related Nessus plugins cite this CVE alongside CVE-2025-12764 and others, indicating impac...

CVE-2026-7819

CVE-2026-7819 describes a symbolic-link path traversal in pgAdmin 4 File Manager. The vulnerability arises because check_access_permission used os.path.abspath (resolving ..) but not symbolic links, allowing an authenticated user to plant a symlink within their storage directory that points elsew...

CVE-2026-7820

CVE-2026-7820 affects pgAdmin 4 prior to 9.15. The issue is an account-lockout bypass caused by improper synchronization between pgAdmin’s custom /authenticate/login path and Flask-Security’s default /login path. Because Flask-Security’s default route does not consult the pgAdmin User.locked fiel...

CVE-2025-12764

Summary of CVE-2025-12764 (pgAdmin4) : The vulnerability affects pgAdmin4 versions up to 9.9 where an improper validation of characters in a username during LDAP authentication allows LDAP injections, which can cause the DC/LDAP server and client to process an excessive amount of data and trigger...

CVE-2025-12763

CVE-2025-12763 affects pgAdmin 4 versions up to 9.9 on Windows, where a command-injection vulnerability is caused by using shell=True during backup/restore operations, enabling an attacker to execute arbitrary system commands via crafted file paths. Multiple independent sources note this can lead...