VYPR
← All advisories
Moderate severityNVD Advisory· Published Nov 20, 2025· Updated Nov 20, 2025

CVE-2025-60799

CVE-2025-60799

Description

phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized manipulation of session variables by accepting user-controlled parameters ('subject', 'server', 'database', 'queryid') without proper validation or access control checks. Attackers can exploit this to store arbitrary SQL queries in $_SESSION['sqlquery'] by manipulating these parameters, potentially leading to session poisoning, stored cross-site scripting, or unauthorized access to sensitive session data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

phpPgAdmin 7.13.0 and earlier has an access control flaw in sql.php allowing attackers to manipulate session SQL queries via user-controlled parameters.

Vulnerability

Description phpPgAdmin 7.13.0 and earlier suffer from an incorrect access control vulnerability in the sql.php file, specifically at lines 68-76 [1][2]. The application accepts user-controlled parameters such as 'subject', 'server', 'database', and 'queryid' and stores them directly into the $_SESSION['sqlquery'] variable without proper validation or access control checks [1]. This allows an attacker to inject arbitrary SQL query strings into the session.

Exploitation

An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the phpPgAdmin instance, manipulating the aforementioned parameters [1]. The attack can be performed without authentication, as the application fails to enforce access control on these parameters [1]. The attacker only needs network access to the phpPgAdmin web interface.

Impact

Successful exploitation can lead to session poisoning, where the attacker's malicious SQL query is stored in the session [3]. This can result in stored cross-site scripting (XSS) if the stored query is later rendered unsafely, unauthorized access to sensitive session data, or stored SQL injection attacks [3][1]. The impact is increased if the application relies on session data for authorization decisions.

Mitigation

As of the publication date, no official patch has been released [4]. The affected versions are 7.13.0 and earlier. Users are advised to apply input validation to the vulnerable parameters or restrict access to the sql.php endpoint until a fix is available [1][3]. The phpPgAdmin project may release an update in the future [4].

References
  1. NVD - CVE-2025-60799
  2. phppgadmin/sql.php at master · phppgadmin/phppgadmin
  3. security-advisories/CVE-2025-60799.md at main · pr0wl1ng/security-advisories
  4. GitHub - phppgadmin/phppgadmin: the premier web-based administration tool for postgresql

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
phppgadmin/phppgadminPackagist
<= 7.13.0

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.