CVE-2025-12763
published 2025-11-13CVE-2025-12763: pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup…
PriorityP355high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.74%
49.9th percentile
pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pgadmin.org | pgadmin_4 | <= 9.9 | — |
| pgadmin | pgadmin_4 | < 9.10 | 9.10 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
pgAdmin 4 has command injection vulnerability on Windows systems
ghsa·2025-11-13
CVE-2025-12763 [MEDIUM] CWE-78 pgAdmin 4 has command injection vulnerability on Windows systems
pgAdmin 4 has command injection vulnerability on Windows systems
pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input.
OSV
pgAdmin 4 has command injection vulnerability on Windows systems
osv·2025-11-13
CVE-2025-12763 [MEDIUM] pgAdmin 4 has command injection vulnerability on Windows systems
pgAdmin 4 has command injection vulnerability on Windows systems
pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-13
Published