11 matches found
CVE-2025-2945
CVE-2025-2945 affects pgAdmin 4 (versions 8.10–9.1). An authenticated user can trigger remote code execution by sending a crafted payload via the query_tool/download (query_commited) or cloud/deploy (high_availability) endpoints, which unsafe-pass data to Python eval(). Proofs of concept exist (a...
CVE-2024-3116
CVE-2024-3116 affects pgAdmin
CVE-2024-9014
pgAdmin 4 (versions ≤ 8.11) is affected by CVE-2024-9014 due to an OAuth2 authentication flaw that can expose OAuth2_CLIENT_ID and OAuth2_CLIENT_SECRET from the login/config, enabling unauthorized access to user data. The Nuclei template confirms an authentication bypass/vector leading to credent...
CVE-2024-2044
CVE-2024-2044 affects pgAdmin4
CVE-2026-12046
CVE-2026-12046: pgAdmin 4 exposes unauthenticated deserialization sink in SQL Editor close and update_connection routes (DELETE /sqleditor/close/, POST /sqleditor/initialize/sqleditor/update_connection///). Missing @pga_login_required allows unauthenticated access to pickle.loads on session['grid...
CVE-2025-12762
CVE-2025-12762 affects pgAdmin 4 up to v9.9 when running in server mode and performing restores from PLAIN-format dumps, enabling remote code execution via injected commands on the host. Public advisories and Nessus/GHSA entries confirm this is a critical RCE with network access, low complexity, ...
CVE-2026-12045
The CVE-2026-12045 affects pgAdmin 4 (from version 9.13 up to before 9.16) and concerns the AI Assistant read-only transaction bypass. A prompt-injection vulnerability allows an attacker who can influence content seen by the AI Assistant to craft LLM-generated SQL payloads that bypass the BEGIN T...
CVE-2026-12048
CVE-2026-12048 affects pgAdmin 4 (versions 6.0 up to 9.16). Stored XSS occurs when untrusted server-returned text is passed through html-react-parser in multiple user-facing sinks (toasts, dialogs, explain visualiser, SQL editor prompts, etc.), allowing an attacker-controlled PostgreSQL server to...
CVE-2025-2946
CVE-2025-2946 is a Cross‑Site Scripting (XSS) vulnerability in pgAdmin 4 where arbitrary HTML/JavaScript can execute in a user’s browser via query result rendering. Affected version: pgAdmin
CVE-2025-13780
CVE-2025-13780 affects pgAdmin up to 9.10 when running in server mode and performing restores from PLAIN-format dump files, enabling remote code execution by injecting commands on the pgAdmin server. The issue is triggered during server-mode restore operations and could compromise confidentiality...
CVE-2026-7813
pgAdmin 4 server mode CVE-2026-7813 enables cross-user data access and privilege escalation in Shared Servers. An authenticated user could enumerate object IDs to fetch another user’s private servers, server groups, background processes, and debugger arguments due to lacking user-scoped access co...