CVE-2025-12762 — Code Injection in 4

CWE-94 — Code Injection CWE-77 — Command Injection CWE-787 — Out-of-bounds Write6 documents5 sources

Severity

9.8CRITICALNVD

CNA9.1GHSA9.1

EPSS

0.1%

top 70.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pgadmin 4 Pgadmin.org Pgadmin 4

Timeline

PublishedNov 13

Latest updateDec 11

Description

pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDpgadmin/pgadmin_4< 9.10

▶CVEListV5pgadmin.org/pgadmin_49.9

🔴Vulnerability Details

GHSA

pgadmin4 has a Meta-Command Filter Command Execution↗2025-12-11

▶

OSV

pgAdmin4 vulnerable to Remote Code Execution (RCE) when running in server mode↗2025-11-13

▶

CVEList

Remote Code Execution vulnerability when restoring PLAIN-format SQL dumps in server mode (pgAdmin 4)↗2025-11-13

▶

GHSA

pgAdmin4 vulnerable to Remote Code Execution (RCE) when running in server mode↗2025-11-13

▶

📋Vendor Advisories

Microsoft

json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file as demonstrated by printbuf_memappend.↗2020-05-12

▶