Aggregates CVE and security vulnerability intelligence across all pgadmin-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting and vendor risk path handling and related problems; some flaws may lead to vendor impact session compromise, affecting vendor surface production workloads scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-7820 | Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4. pgAdmin enforces MAX_LOGIN_ATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.init_app() and is reachable on every server, never consulted the User.locked field: pgAdmin's User model relied on Flask-Security's UserMixin.is_locked() (which always returns 'not locked') and Flask-Login's is_active (which only checks the active | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 6.9 | 0.04% | 2026-05-11 | 2026-05-26 |
| CVE-2026-7819 | Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager. check_access_permission used os.path.abspath, which resolves '..' but does not resolve symbolic links, while the subsequent kernel write follows symlinks. An authenticated user could plant a symbolic link inside their own storage directory pointing outside it and induce pgAdmin to write to any path reachable by the pgAdmin process. Fix switches the access check to os.path.realpath for both source and destination, and adds | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 7.2 | 0.04% | 2026-05-11 | 2026-05-26 |
| CVE-2026-7818 | Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager. The session manager performed unsafe deserialization of session-file contents (using Python's standard object-serialization module) before performing any HMAC integrity check. Any file dropped into the sessions directory was deserialized unconditionally. An authenticated user with write access to the sessions directory (whether by misconfiguration or in combination with another path-traversal flaw) could plant a | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 7.3 | 0.28% | 2026-05-11 | 2026-05-26 |
| CVE-2026-7817 | Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints. User-supplied api_key_file and api_url preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by pointing api_key_file at any path readable by the pgAdmin process, or coerce pgAdmin into making requests to internal targets (e.g. cloud metadata services such as 169.254.169.254) by setting api_ | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 7.1 | 0.03% | 2026-05-11 | 2026-05-26 |
| CVE-2026-7816 | OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export. User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable. Fix add | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 8.7 | 0.12% | 2026-05-11 | 2026-05-26 |
| CVE-2026-7815 | SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to esc | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 8.7 | 0.04% | 2026-05-11 | 2026-05-26 |
| CVE-2026-7814 | Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules. User-controlled PostgreSQL object names (database, schema, table, column, etc.) were assigned to DOM elements via innerHTML, allowing crafted object names containing HTML markup to execute attacker-supplied JavaScript in the browser of any pgAdmin user who navigated to or executed EXPLAIN over the malicious object. Fix replaces innerHTML with textContent. This issue affects pgAdmin 4: bef | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 4.8 | 0.03% | 2026-05-11 | 2026-05-26 |
| CVE-2026-7813 | Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could access another user's private servers, server groups, background processes, and debugger function arguments by guessing object IDs. Additionally, the Shared Servers feature contained multiple issues including credential leak | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 9.4 | 0.06% | 2026-05-11 | 2026-05-26 |
| CVE-2026-1707 | pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore operation, extract the `\restrict` key in real time, and race the restore process by overwriting the restore script with a payload that re-enables meta-commands using `\unrestrict <key>`. This results in reliable command ex | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 7.4 | 0.02% | 2026-02-05 | 2026-02-26 |
| CVE-2025-13780 | pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 9.1 | 0.11% | 2025-12-11 | 2025-12-19 |
| CVE-2025-12765 | pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 7.5 | 0.03% | 2025-11-13 | 2025-11-19 |
| CVE-2025-12764 | pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username, causing the DC/LDAP server and the client to process an unusual amount of data DOS. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 7.5 | 0.06% | 2025-11-13 | 2025-11-19 |
| CVE-2025-12763 | pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 6.8 | 0.03% | 2025-11-13 | 2025-12-01 |
| CVE-2025-12762 | pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 9.1 | 0.17% | 2025-11-13 | 2025-12-01 |
| CVE-2025-9636 | pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. This vulnerability allows an attacker to manipulate the OAuth flow, potentially leading to unauthorised account access, account takeover, data breaches, and privilege escalation. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 7.9 | 0.02% | 2025-09-04 | 2025-09-11 |
| CVE-2025-2946 | pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute any arbitrary HTML/JavaScript in a user's browser through query result rendering, then HTML/JavaScript runs on the browser. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 9.1 | 0.13% | 2025-04-03 | 2025-04-23 |
| CVE-2025-2945 | Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules). The vulnerability is associated with the 2 POST endpoints; /sqleditor/query_tool/download, where the query_commited parameter and /cloud/deploy endpoint, where the high_availability parameter is unsafely passed to the Python eval() function, allowing arbitrary code execution. This issue affects pgAdmin 4: before 9.2. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 9.9 | 82.49% | 2025-04-03 | 2025-09-17 |
| CVE-2023-1907 | A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously. | [email protected] | 8.0 | 0.10% | 2025-01-09 | 2025-06-20 |
| CVE-2025-0218 | When batch jobs are executed by pgAgent, a script is created in a temporary directory and then executed. In versions of pgAgent prior to 4.2.3, an insufficiently seeded random number generator is used when generating the directory name, leading to the possibility for a local attacker to pre-create the directory and thus prevent pgAgent from executing jobs, disrupting scheduled tasks. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 5.5 | 0.06% | 2025-01-07 | 2025-11-03 |
| CVE-2024-9014 | pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data. | f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 9.9 | 92.88% | 2024-09-23 | 2025-09-22 |