High severity8.8NVD Advisory· Published May 11, 2026· Updated May 13, 2026

CVE-2026-7816

Description

OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export.

User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable.

Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks.

This issue affects pgAdmin 4: before 9.15.

Affected products

Pgadmin Org/Pgadmin4references

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/pgadmin-org/pgadmin4/issues/9899nvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000