CVE-2025-12763OS Command Injection in 4

CWE-78OS Command Injection4 documents4 sources
Severity
8.8HIGHNVD
CNA6.8
EPSS
0.0%
top 90.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pgadmin 4Pgadmin.org Pgadmin 4
Timeline
PublishedNov 13

Description

pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDpgadmin/pgadmin_4< 9.10
CVEListV5pgadmin.org/pgadmin_49.9

🔴Vulnerability Details

3
GHSA
pgAdmin 4 has command injection vulnerability on Windows systems2025-11-13
OSV
pgAdmin 4 has command injection vulnerability on Windows systems2025-11-13
CVEList
Command injection vulnerability allowing arbitrary command execution on Windows2025-11-13
CVE-2025-12763 — OS Command Injection in Pgadmin 4 | cvebase