5 matches found
CVE-2023-0241
pgAdmin 4 contains a directory traversal vulnerability in versions prior to v6.19. The flaw could allow a user to change another user’s settings or alter the database. Multiple sources corroborate the issue (CVE-2023-0241) and note remediation via updates; open advisories reference a fixed releas...
CVE-2022-0959
CVE-2022-0959 affects pgAdmin4: a malicious, authenticated user can craft an HTTP request using an existing CSRF token and session cookie to upload files to any location writable by the OS user running pgAdmin. The root cause is an unrestricted file upload path that permits writes outside intende...
CVE-2023-22298
CVE-2023-22298 is an open redirect vulnerability in pgAdmin 4 prior to version 6.14. An unauthenticated remote attacker can lure a user to click a specially crafted URL, redirecting them to an arbitrary site and enabling phishing. Affected software is pgAdmin 4; the root cause is an improper redi...
CVE-2026-12049
CVE-2026-12049 affects pgAdmin 4. An open redirect vulnerability exists in the MFA flow where the next parameter is not validated against the current origin, allowing an authenticated user to be redirected to an attacker-controlled host via /mfa/validate?next=… This is a trusted-domain redirect r...
CVE-2026-7820
CVE-2026-7820 affects pgAdmin 4 prior to 9.15. The issue is an account-lockout bypass caused by improper synchronization between pgAdmin’s custom /authenticate/login path and Flask-Security’s default /login path. Because Flask-Security’s default route does not consult the pgAdmin User.locked fiel...