Moderate severityNVD Advisory· Published Nov 13, 2025· Updated Feb 26, 2026
Command injection vulnerability allowing arbitrary command execution on Windows
CVE-2025-12763
Description
pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pgadmin4PyPI | < 9.10 | 9.10 |
Affected products
3- ghsa-coords2 versions
< 9.10+ 1 more
- (no CPE)range: < 9.10
- (no CPE)range: < 9.11-1.1
- Range: 0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-rm79-x4g6-hvg5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-12763ghsaADVISORY
- github.com/pgadmin-org/pgadmin4/commit/e374edc69239b3e02ecde895e27d9f9e488b87eeghsaWEB
- github.com/pgadmin-org/pgadmin4/issues/9323ghsaissue-trackingWEB
News mentions
0No linked articles in our index yet.