Lucene search
+L
PgadminPgadmin 4

11 matches found

CVE
CVE
added 2025/04/03 12:23 p.m.303 views

CVE-2025-2945

CVE-2025-2945 affects pgAdmin 4 (versions 8.10–9.1). An authenticated user can trigger remote code execution by sending a crafted payload via the query_tool/download (query_commited) or cloud/deploy (high_availability) endpoints, which unsafe-pass data to Python eval(). Proofs of concept exist (a...

9.9CVSS8.4AI score0.46222EPSS
Web
CVE
CVE
added 2024/04/04 2:59 p.m.214 views

CVE-2024-3116

CVE-2024-3116 affects pgAdmin

9.8CVSS9AI score0.64846EPSS
Web
CVE
CVE
added 2024/09/23 5:4 p.m.156 views

CVE-2024-9014

pgAdmin 4 (versions ≤ 8.11) is affected by CVE-2024-9014 due to an OAuth2 authentication flaw that can expose OAuth2_CLIENT_ID and OAuth2_CLIENT_SECRET from the login/config, enabling unauthorized access to user data. The Nuclei template confirms an authentication bypass/vector leading to credent...

9.9CVSS9.2AI score0.09685EPSS
In wildWeb
CVE
CVE
added 2024/03/07 8:48 p.m.154 views

CVE-2024-2044

CVE-2024-2044 affects pgAdmin4

9.9CVSS9.7AI score0.79326EPSS
Web
CVE
CVE
added 2026/06/18 11:37 p.m.111 views

CVE-2026-12046

CVE-2026-12046: pgAdmin 4 exposes unauthenticated deserialization sink in SQL Editor close and update_connection routes (DELETE /sqleditor/close/, POST /sqleditor/initialize/sqleditor/update_connection///). Missing @pga_login_required allows unauthenticated access to pickle.loads on session['grid...

9.5CVSS6.8AI score0.0071EPSS
Web
CVE
CVE
added 2025/11/13 1:0 p.m.103 views

CVE-2025-12762

CVE-2025-12762 affects pgAdmin 4 up to v9.9 when running in server mode and performing restores from PLAIN-format dumps, enabling remote code execution via injected commands on the host. Public advisories and Nessus/GHSA entries confirm this is a critical RCE with network access, low complexity, ...

9.8CVSS7.3AI score0.12384EPSS
CVE
CVE
added 2026/06/18 11:37 p.m.101 views

CVE-2026-12045

The CVE-2026-12045 affects pgAdmin 4 (from version 9.13 up to before 9.16) and concerns the AI Assistant read-only transaction bypass. A prompt-injection vulnerability allows an attacker who can influence content seen by the AI Assistant to craft LLM-generated SQL payloads that bypass the BEGIN T...

9.4CVSS7AI score0.00482EPSS
CVE
CVE
added 2026/06/18 11:37 p.m.101 views

CVE-2026-12048

CVE-2026-12048 affects pgAdmin 4 (versions 6.0 up to 9.16). Stored XSS occurs when untrusted server-returned text is passed through html-react-parser in multiple user-facing sinks (toasts, dialogs, explain visualiser, SQL editor prompts, etc.), allowing an attacker-controlled PostgreSQL server to...

9.3CVSS5.4AI score0.0021EPSS
CVE
CVE
added 2025/04/03 12:23 p.m.97 views

CVE-2025-2946

CVE-2025-2946 is a Cross‑Site Scripting (XSS) vulnerability in pgAdmin 4 where arbitrary HTML/JavaScript can execute in a user’s browser via query result rendering. Affected version: pgAdmin

9.1CVSS7.3AI score0.00305EPSS
CVE
CVE
added 2025/12/11 6:30 p.m.56 views

CVE-2025-13780

CVE-2025-13780 affects pgAdmin up to 9.10 when running in server mode and performing restores from PLAIN-format dump files, enabling remote code execution by injecting commands on the pgAdmin server. The issue is triggered during server-mode restore operations and could compromise confidentiality...

9.1CVSS7.4AI score0.00866EPSS
CVE
CVE
added 2026/05/11 2:35 p.m.29 views

CVE-2026-7813

pgAdmin 4 server mode CVE-2026-7813 enables cross-user data access and privilege escalation in Shared Servers. An authenticated user could enumerate object IDs to fetch another user’s private servers, server groups, background processes, and debugger arguments due to lacking user-scoped access co...

9.9CVSS6.1AI score0.00455EPSS