VYPR

apk package

chainguard/pgadmin4

pkg:apk/chainguard/pgadmin4

Vulnerabilities (45)

  • CVE-2026-45409MedJun 5, 2026
    affected < 9.15-r1fixed 9.15-r1

    Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize t

  • CVE-2026-44681MedMay 27, 2026
    affected < 9.15-r1fixed 9.15-r1

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an H

  • CVE-2026-44432HigMay 13, 2026
    affected < 9.15-r1fixed 9.15-r1

    urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) w

  • CVE-2026-44431MedMay 13, 2026
    affected < 9.15-r1fixed 9.15-r1

    urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.

  • CVE-2026-44307HigMay 12, 2026
    affected < 9.15-r1fixed 9.15-r1

    Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads

  • CVE-2026-7820MedMay 11, 2026
    affected < 9.15-r1fixed 9.15-r1

    Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4. pgAdmin enforces MAX_LOGIN_ATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.init_app() and is reachable

  • CVE-2026-7819HigMay 11, 2026
    affected < 9.15-r1fixed 9.15-r1

    Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager. check_access_permission used os.path.abspath, which resolves '..' but does not resolve symbolic links, while the subsequent kernel write follows symlinks. An authenticated user could plant a symbolic link i

  • CVE-2026-7818HigMay 11, 2026
    affected < 9.15-r1fixed 9.15-r1

    Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager. The session manager performed unsafe deserialization of session-file contents (using Python's standard object-serialization module) before performing any HMAC integrity check. Any file dropped int

  • CVE-2026-7817MedMay 11, 2026
    affected < 9.15-r1fixed 9.15-r1

    Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints. User-supplied api_key_file and api_url preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitra

  • CVE-2026-7816HigMay 11, 2026
    affected < 9.15-r1fixed 9.15-r1

    OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export. User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...)

  • CVE-2026-7815HigMay 11, 2026
    affected < 9.15-r1fixed 9.15-r1

    SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An

  • CVE-2026-7814MedMay 11, 2026
    affected < 9.15-r1fixed 9.15-r1

    Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules. User-controlled PostgreSQL object names (database, schema, table, column, etc.) were assigned to DOM elements via innerHTML, allowing crafted object names containing HTML ma

  • CVE-2026-7813CriMay 11, 2026
    affected < 9.15-r1fixed 9.15-r1

    Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could acces

  • CVE-2026-44405LowMay 6, 2026
    affected < 9.14-r2fixed 9.14-r2

    In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.

  • CVE-2026-39892CriApr 8, 2026
    affected < 9.14-r1fixed 9.14-r1

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulner

  • CVE-2026-34073MedMar 31, 2026
    affected < 9.13-r3fixed 9.13-r3

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently

  • CVE-2026-25645Mar 25, 2026
    affected < 9.13-r3fixed 9.13-r3

    Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without valid

  • CVE-2026-4539LowMar 22, 2026
    affected < 9.13-r3fixed 9.13-r3

    A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit

  • CVE-2026-30922HigMar 18, 2026
    affected < 9.13-r2fixed 9.13-r2

    pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousa

  • CVE-2026-25990HigFeb 11, 2026
    affected < 9.12-r1fixed 9.12-r1

    Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.

Page 1 of 3