CVE-2025-60798
Description
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The application passes user-controlled input from $_REQUEST['query'] directly to the browseQuery function without proper sanitization. An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands through malicious query manipulation, potentially leading to complete database compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
phpPgAdmin 7.13.0 and earlier has a SQL injection in display.php line 396, allowing authenticated attackers to execute arbitrary SQL commands via the query parameter.
Vulnerability
Description
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in the display.php script at line 396. The application passes user-controlled input from the $_REQUEST['query'] parameter directly to the browseQuery() function without any sanitization or parameterization [1][4]. This lack of input validation allows an attacker to inject malicious SQL statements into the database query.
Exploitation
An authenticated attacker can exploit this vulnerability by crafting a malicious query parameter in a request to display.php. Since the input is used directly in a SQL query, the attacker can manipulate the query structure to execute arbitrary SQL commands. The attack requires authentication to the phpPgAdmin interface, but no special privileges beyond a valid user account are needed [1][4].
Impact
Successful exploitation allows the attacker to execute arbitrary SQL commands on the underlying PostgreSQL database. This can lead to complete database compromise, including data exfiltration, modification, deletion, and potential privilege escalation within the database context [1][4]. The impact is severe as it undermines the confidentiality, integrity, and availability of the database managed by phpPgAdmin.
Mitigation
As of the publication date, no patch has been released for this vulnerability. Users of phpPgAdmin 7.13.0 and earlier are advised to upgrade to a patched version 7.14.0 or later once available, or apply input sanitization and parameterized queries as a workaround. The vulnerability has been assigned CVE-2025-60798 and is publicly documented [1][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phppgadmin/phppgadminPackagist | <= 7.13.0 | — |
Affected products
2- phpPgAdmin/phpPgAdmindescription
- Range: <=7.13.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-g6xh-wrpf-v6j6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-60798ghsaADVISORY
- github.com/phppgadmin/phppgadmin/blob/master/display.phpghsaWEB
- github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60797.mdghsaWEB
- github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60798.mdghsaWEB
News mentions
0No linked articles in our index yet.