Lucene search
K
PgadminPgadmin 4

9 matches found

CVE
CVE
added 2023/09/22 1:31 p.m.2580 views

CVE-2023-5002

CVE-2023-5002 affects pgAdmin’s server HTTP API where path validation for external PostgreSQL utilities (e.g., pg_dump/pg_restore) was insufficient. An authenticated user could cause the server to execute arbitrary commands due to improper control of server-side code. Reports across multiple sour...

8.8CVSS7.2AI score0.0147EPSS
CVE
CVE
added 2022/12/13 12:0 a.m.160 views

CVE-2022-4223

CVE-2022-4223 describes a remote code execution vulnerability in pgAdmin that affects versions prior to 6.17. An insecure HTTP API allows an unauthenticated user to pass a manipulated path (e.g., a UNC path) to the server, which could lead to the execution of an arbitrary executable on the pgAdmi...

8.8CVSS8.5AI score0.79933EPSS
CVE
CVE
added 2024/05/02 5:42 p.m.90 views

CVE-2024-4215

CVE-2024-4215 concerns pgAdmin4. Affected: pgadmin4 (ld

8.8CVSS7.7AI score0.00629EPSS
CVE
CVE
added 2026/06/18 11:37 p.m.67 views

CVE-2026-12044

CVE-2026-12044 affects pgAdmin 4. An authenticated user with permission to create/alter objects can inject SQL via the description field in templates rendering COMMENT ON ... IS ''. The vulnerability stems from Jinja templates interpolating user-supplied descriptions directly into single-quoted S...

8.8CVSS6AI score0.00489EPSS
CVE
CVE
added 2026/06/18 11:37 p.m.42 views

CVE-2026-12050

CVE-2026-12050 concerns pgAdmin 4. An authenticated user with a connected PostgreSQL session can exploit a SQL injection in the named restore point endpoint (POST /browser/server/restore_point/{gid}/{sid}) because the user-supplied value is interpolated into SQL via string formatting instead of a...

8.8CVSS5.5AI score0.00245EPSS
Web
CVE
CVE
added 2026/05/11 2:35 p.m.28 views

CVE-2026-7816

The CVE-2026-7816 entry describes an OS command injection in pgAdmin 4 Import/Export query export. User input was directly interpolated into a psql \copy metacommand template without sanitization, allowing an authenticated user to inject commands to break out of the \copy context and execute arbi...

8.8CVSS6.1AI score0.01444EPSS
CVE
CVE
added 2026/05/11 2:35 p.m.26 views

CVE-2026-7819

CVE-2026-7819 describes a symbolic-link path traversal in pgAdmin 4 File Manager. The vulnerability arises because check_access_permission used os.path.abspath (resolving ..) but not symbolic links, allowing an authenticated user to plant a symlink within their storage directory that points elsew...

8.1CVSS5.8AI score0.00359EPSS
CVE
CVE
added 2026/05/11 2:35 p.m.22 views

CVE-2026-7815

The CVE-2026-7815 issue affects pgAdmin 4 maintenance tooling. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated into VACUUM/ANALYZE/REINDEX commands and passed to psql --command. An authenticated user with tools_maint...

8.8CVSS6.2AI score0.00456EPSS
CVE
CVE
added 2025/11/13 1:0 p.m.15 views

CVE-2025-12763

CVE-2025-12763 affects pgAdmin 4 versions up to 9.9 on Windows, where a command-injection vulnerability is caused by using shell=True during backup/restore operations, enabling an attacker to execute arbitrary system commands via crafted file paths. Multiple independent sources note this can lead...

8.8CVSS7.6AI score0.00845EPSS