Pgadmin4
by Pgadmin.org
Source repositories
CVEs (33)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-12765 | 0.00 | — | 0.00 | Nov 13, 2025 | pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification. | |||
| CVE-2025-12764 | 0.00 | — | 0.00 | Nov 13, 2025 | pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username, causing the DC/LDAP server and the client to process an unusual amount of data DOS. | |||
| CVE-2025-12763 | 0.00 | — | 0.01 | Nov 13, 2025 | pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path… | |||
| CVE-2025-12762 | 0.00 | — | 0.12 | Nov 13, 2025 | pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting… | |||
| CVE-2025-9636 | 0.00 | — | 0.00 | Sep 4, 2025 | pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. This vulnerability allows an attacker to manipulate the OAuth flow, potentially leading to unauthorised account access, account takeover, data breaches, and privilege escalation. | |||
| CVE-2025-2946 | 0.00 | — | 0.00 | Apr 3, 2025 | pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute any arbitrary HTML/JavaScript in a user's browser through query result rendering, then HTML/JavaScript runs on the browser. | |||
| CVE-2025-2945 | 0.00 | — | 0.39 | Apr 3, 2025 | Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules). The vulnerability is associated with the 2 POST endpoints; /sqleditor/query_tool/download, where the query_commited parameter and /cloud/deploy endpoint, where the… | |||
| CVE-2023-1907 | 0.00 | — | 0.00 | Jan 9, 2025 | A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously. | |||
| CVE-2024-6238 | 0.00 | — | 0.00 | Jun 25, 2024 | pgAdmin <= 8.8 has an installation Directory permission issue. Because of this issue, attackers can gain unauthorised access to the installation directory on the Debian or RHEL 8 platforms. | |||
| CVE-2024-4216 | 0.00 | — | 0.00 | May 2, 2024 | pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end. | |||
| CVE-2024-4215 | 0.00 | — | 0.01 | May 2, 2024 | pgAdmin <= 8.5 is affected by a multi-factor authentication bypass vulnerability. This vulnerability allows an attacker with knowledge of a legitimate account’s username and password may authenticate to the application and perform sensitive actions within the application, such… | |||
| CVE-2023-5002 | 0.00 | — | 0.01 | Sep 22, 2023 | A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API,… | |||
| CVE-2023-22298 | 0.00 | — | 0.01 | Jan 17, 2023 | Open redirect vulnerability in pgAdmin 4 versions prior to v6.14 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL. |
- CVE-2025-12765Nov 13, 2025risk 0.00cvss —epss 0.00
pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification.
- CVE-2025-12764Nov 13, 2025risk 0.00cvss —epss 0.00
pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username, causing the DC/LDAP server and the client to process an unusual amount of data DOS.
- CVE-2025-12763Nov 13, 2025risk 0.00cvss —epss 0.01
pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path…
- CVE-2025-12762Nov 13, 2025risk 0.00cvss —epss 0.12
pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting…
- CVE-2025-9636Sep 4, 2025risk 0.00cvss —epss 0.00
pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. This vulnerability allows an attacker to manipulate the OAuth flow, potentially leading to unauthorised account access, account takeover, data breaches, and privilege escalation.
- CVE-2025-2946Apr 3, 2025risk 0.00cvss —epss 0.00
pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute any arbitrary HTML/JavaScript in a user's browser through query result rendering, then HTML/JavaScript runs on the browser.
- CVE-2025-2945Apr 3, 2025risk 0.00cvss —epss 0.39
Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules). The vulnerability is associated with the 2 POST endpoints; /sqleditor/query_tool/download, where the query_commited parameter and /cloud/deploy endpoint, where the…
- CVE-2023-1907Jan 9, 2025risk 0.00cvss —epss 0.00
A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously.
- CVE-2024-6238Jun 25, 2024risk 0.00cvss —epss 0.00
pgAdmin <= 8.8 has an installation Directory permission issue. Because of this issue, attackers can gain unauthorised access to the installation directory on the Debian or RHEL 8 platforms.
- CVE-2024-4216May 2, 2024risk 0.00cvss —epss 0.00
pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end.
- CVE-2024-4215May 2, 2024risk 0.00cvss —epss 0.01
pgAdmin <= 8.5 is affected by a multi-factor authentication bypass vulnerability. This vulnerability allows an attacker with knowledge of a legitimate account’s username and password may authenticate to the application and perform sensitive actions within the application, such…
- CVE-2023-5002Sep 22, 2023risk 0.00cvss —epss 0.01
A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API,…
- CVE-2023-22298Jan 17, 2023risk 0.00cvss —epss 0.01
Open redirect vulnerability in pgAdmin 4 versions prior to v6.14 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.
Page 2 of 2