VYPR
← All advisories
Moderate severityNVD Advisory· Published Nov 13, 2025· Updated Feb 26, 2026

Command injection vulnerability allowing arbitrary command execution on Windows

CVE-2025-12763

Description

pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pgadmin4PyPI
< 9.109.10

Affected products

1

Patches

1
e374edc69239

Fixed Command injection vulnerability allowing arbitrary command execution on Windows (CVE-2025-12763). #9323

https://github.com/pgadmin-org/pgadmin4Yogesh MahajanNov 10, 2025via ghsa
commit
4 files changed · +16 8
  • docs/en_US/release_notes_9_10.rst+2 1 modified
    @@ -41,4 +41,5 @@ Bug fixes
   | `Issue #9240 <https://github.com/pgadmin-org/pgadmin4/issues/9240>`_ -  Fixed an issue where the Debian build process failed with a "Sphinx module not found" error when using a Python virtual environment.
   | `Issue #9281 <https://github.com/pgadmin-org/pgadmin4/issues/9281>`_ -  Fixed an issue where the last used storage directory was reset to blank, leading to access denied errors during backup or restore operations.
   | `Issue #9304 <https://github.com/pgadmin-org/pgadmin4/issues/9304>`_ -  Fixed an issue that prevented assigning multiple users to an RLS policy.
-  | `Issue #9320 <https://github.com/pgadmin-org/pgadmin4/issues/9320>`_ -  Fixed remote code execution vulnerability when restoring PLAIN-format SQL dumps in server mode (CVE-2025-12762).
\ No newline at end of file
+  | `Issue #9320 <https://github.com/pgadmin-org/pgadmin4/issues/9320>`_ -  Fixed remote code execution vulnerability when restoring PLAIN-format SQL dumps in server mode (CVE-2025-12762).
+  | `Issue #9323 <https://github.com/pgadmin-org/pgadmin4/issues/9323>`_ -  Fixed Command injection vulnerability allowing arbitrary command execution on Windows (CVE-2025-12763).
\ No newline at end of file
  • web/pgadmin/misc/bgprocess/process_executor.py+4 1 modified
    @@ -33,6 +33,7 @@
 # To make print function compatible with python2 & python3
 import sys
 import os
+import subprocess
 from datetime import datetime, timedelta, tzinfo, timezone
 from subprocess import Popen, PIPE
 from threading import Thread
@@ -319,7 +320,9 @@ def execute(argv):
 
         kwargs = dict()
         kwargs['close_fds'] = False
-        kwargs['shell'] = True if _IS_WIN else False
+        kwargs['shell'] = False
+        if _IS_WIN:
+            kwargs['creationflags'] = subprocess.CREATE_NO_WINDOW
 
         # We need environment variables & values in string
         kwargs['env'] = os.environ.copy()
  • web/pgadmin/tools/restore/__init__.py+1 1 modified
    @@ -336,7 +336,7 @@ def get_restore_util_args(data, manager, server, driver, conn, filepath):
                      False)
         set_multiple('indexes', '--index', data, args, driver, conn, False)
 
-    args.append(fs_short_path(filepath))
+    args.append(filepath)
 
     return args
  • web/pgadmin/utils/__init__.py+9 5 modified
    @@ -311,15 +311,19 @@ def filename_with_file_manager_path(_file, create_file=False,
     elif not os.path.isabs(_file):
         _file = os.path.join(document_dir(), _file)
 
-    def short_filepath():
-        short_path = fs_short_path(_file)
+    def short_filepath(file=_file):
+        short_path = fs_short_path(file)
         # fs_short_path() function may return empty path on Windows
         # if directory doesn't exists. In that case we strip the last path
         # component and get the short path.
         if os.name == 'nt' and short_path == '':
-            base_name = os.path.basename(_file)
-            dir_name = os.path.dirname(_file)
-            short_path = fs_short_path(dir_name) + '\\' + base_name
+            base_name = os.path.basename(file)
+            dir_name = os.path.dirname(file)
+            dir_short_path = fs_short_path(dir_name)
+            if dir_short_path == '' and file != "":
+                short_path = os.path.join(short_filepath(dir_name), base_name)
+            else:
+                short_path = os.path.join(dir_short_path, base_name)
         return short_path
 
     if create_file:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.