Critical severityNVD Advisory· Published Apr 3, 2025· Updated Apr 3, 2025
Cross-Site Vulnerability(XSS) due to arbitrary HTML/JavaScript gets executed while query result rendering in Query Tool and View/Edit Data Tool of pgAdmin 4
CVE-2025-2946
Description
pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute any arbitrary HTML/JavaScript in a user's browser through query result rendering, then HTML/JavaScript runs on the browser.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pgadmin4PyPI | < 9.2 | 9.2 |
Affected products
1- Range: 0
Patches
11305d9910beeFixed an XSS vulnerability issue in the Query Tool and View/Edit Data (CVE-2025-2946). #8602
2 files changed · +2 −1
docs/en_US/release_notes_9_2.rst+1 −0 modified@@ -49,3 +49,4 @@ Bug fixes | `Issue #8546 <https://github.com/pgadmin-org/pgadmin4/issues/8546>`_ - Fixed an issue where updating the grantee was not correctly applying the privileges. | `Issue #8577 <https://github.com/pgadmin-org/pgadmin4/issues/8577>`_ - Fixed an issue where the upgrade_check API returned an unexpected keyword argument 'cafile' due to changes in the urllib package supporting Python v3.13. | `Issue #8597 <https://github.com/pgadmin-org/pgadmin4/issues/8597>`_ - Fixed an issue where delete/rename was done on wrong file after sorting in Storage Manager. + | `Issue #8602 <https://github.com/pgadmin-org/pgadmin4/issues/8602>`_ - Fixed an XSS vulnerability issue in the Query Tool and View/Edit Data (CVE-2025-2946).
web/pgadmin/static/js/utils.js+1 −1 modified@@ -602,7 +602,7 @@ export function measureText(text, font) { measureText.ele.style.cssText = `position: absolute; visibility: hidden; white-space: nowrap; font: ${font}`; document.body.appendChild(measureText.ele); } - measureText.ele.innerHTML = text; + measureText.ele.textContent = text; const dim = measureText.ele.getBoundingClientRect(); return {width: dim.width, height: dim.height}; }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-2rrx-pphc-qfv9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-2946ghsaADVISORY
- github.com/pgadmin-org/pgadmin4/commit/1305d9910beefd0d6b4c7eb4f111f86edb1d356bghsaWEB
- github.com/pgadmin-org/pgadmin4/issues/8602ghsaissue-trackingWEB
News mentions
0No linked articles in our index yet.