VYPR

Pgadmin4

by Pgadmin.org

pypi: pgadmin4

Source repositories

CVEs (33)

  • CVE-2026-12046impJun 18, 2026
    risk 0.59cvss 9.0epss 0.01

    pgadmin4: pgAdmin 4: Remote Code Execution due to missing authentication on critical functions

  • CVE-2026-12045impJun 18, 2026
    risk 0.59cvss 9.0epss 0.01

    pgadmin4: pgAdmin 4: Remote code execution via prompt injection in AI Assistant

  • CVE-2026-7813CriMay 11, 2026
    risk 0.57cvss 9.9epss 0.00

    Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could…

  • CVE-2026-7816HigMay 11, 2026
    risk 0.50cvss 8.8epss 0.01

    OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export. User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy…

  • CVE-2026-7815HigMay 11, 2026
    risk 0.50cvss 8.8epss 0.00

    SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An…

  • CVE-2026-7819HigMay 11, 2026
    risk 0.46cvss 8.1epss 0.00

    Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager. check_access_permission used os.path.abspath, which resolves '..' but does not resolve symbolic links, while the subsequent kernel write follows symlinks. An authenticated user could plant a symbolic link…

  • CVE-2026-7818HigMay 11, 2026
    risk 0.39cvss 7.0epss 0.00

    Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager. The session manager performed unsafe deserialization of session-file contents (using Python's standard object-serialization module) before performing any HMAC integrity check. Any file dropped…

  • CVE-2026-7820MedMay 11, 2026
    risk 0.35cvss 6.5epss 0.00

    Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4. pgAdmin enforces MAX_LOGIN_ATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.init_app() and is reachable…

  • CVE-2026-7817MedMay 11, 2026
    risk 0.35cvss 6.5epss 0.00

    Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints. User-supplied api_key_file and api_url preferences were passed to the LLM provider clients without validation. An authenticated user could read…

  • CVE-2026-12047modJun 18, 2026
    risk 0.30cvss 4.6epss 0.00

    pgadmin4: pgAdmin 4: HTML injection via unsanitized SDK exception messages in cloud deployment module

  • CVE-2026-7814MedMay 11, 2026
    risk 0.24cvss 4.8epss 0.00

    Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules. User-controlled PostgreSQL object names (database, schema, table, column, etc.) were assigned to DOM elements via innerHTML, allowing crafted object names containing HTML…

  • CVE-2026-12050modJun 18, 2026
    risk 0.21cvss 4.3epss 0.00

    pgadmin4: pgAdmin 4: Arbitrary SQL execution via SQL injection in restore point endpoint

  • CVE-2026-12049lowJun 18, 2026
    risk 0.16cvss 3.5epss 0.00

    pgAdmin 4: pgAdmin 4: Open redirect vulnerability in multi-factor authentication can lead to phishing

  • CVE-2024-9014Sep 23, 2024
    risk 0.07cvss epss 0.10

    pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data.

  • CVE-2024-2044Mar 7, 2024
    risk 0.02cvss epss 0.79

    pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server…

  • CVE-2024-3116Apr 4, 2024
    risk 0.01cvss epss 0.65

    pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's integrity and…

  • CVE-2026-12048Jun 18, 2026
    risk 0.00cvss epss 0.00

    Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server (ErrorResponse messages, including object names quoted back inside relation-does-not-exist errors and inside EXPLAIN Recheck Cond / Exact Heap Blocks…

  • CVE-2026-12044Jun 18, 2026
    risk 0.00cvss epss 0.01

    SQL injection in pgAdmin 4 across every dialog template that renders ``COMMENT ON ... IS ''`` for a user-supplied description field. The Jinja templates for Domains (and their constraints), Foreign Tables, Languages, and Event Triggers, plus the Views OID-lookup…

  • CVE-2026-1707Feb 5, 2026
    risk 0.00cvss epss 0.00

    pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore…

  • CVE-2025-13780Dec 11, 2025
    risk 0.00cvss epss 0.01

    pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting…

Page 1 of 2