CVE-2025-13780
published 2025-12-11CVE-2025-13780: pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from…
PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.85%
53.6th percentile
pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pgadmin.org | pgadmin_4 | <= 9.10 | — |
| pgadmin | pgadmin_4 | <= 9.10 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
pgadmin4 has a Meta-Command Filter Command Execution
ghsa·2025-12-11·CVSS 9.8
CVE-2025-13780 [CRITICAL] CWE-77 pgadmin4 has a Meta-Command Filter Command Execution
pgadmin4 has a Meta-Command Filter Command Execution
The PLAIN restore meta-command filter introduced in pgAdmin as part of the fix for CVE-2025-12762 does not detect meta-commands when a SQL file begins with a UTF-8 Byte Order Mark (EF BB BF) or other special byte sequences. The implemented filter uses the function `has_meta_commands()`, which scans raw bytes using a regular expression. The regex does not treat the bytes as ignorable, so meta-commands such as `\\!` remain undetected. When pgAdmin invokes psql with --file, psql strips the bytes and executes the command. This can result in remote command execution during a restore operation.
OSV
pgadmin4 has a Meta-Command Filter Command Execution
osv·2025-12-11·CVSS 9.8
CVE-2025-13780 [CRITICAL] pgadmin4 has a Meta-Command Filter Command Execution
pgadmin4 has a Meta-Command Filter Command Execution
The PLAIN restore meta-command filter introduced in pgAdmin as part of the fix for CVE-2025-12762 does not detect meta-commands when a SQL file begins with a UTF-8 Byte Order Mark (EF BB BF) or other special byte sequences. The implemented filter uses the function `has_meta_commands()`, which scans raw bytes using a regular expression. The regex does not treat the bytes as ignorable, so meta-commands such as `\\!` remain undetected. When pgAdmin invokes psql with --file, psql strips the bytes and executes the command. This can result in remote command execution during a restore operation.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-13780 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-13780 [CRITICAL] CVE-2025-13780 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13780 :
Python vulnerability analysis and mitigation
pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.
Source : NVD
## 8.8
Score
Published December 11, 2025
Severity HIGH
CNA Score 9.1
Affected Technologies
Python
pgAdmin
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.8
Exploitation Probability (EPSS) 0.2
Affected packages and libra
Bugzilla
CVE-2025-43265 webkitgtk: Processing maliciously crafted web content may disclose internal states of the app
bugzilla·2025-08-04·CVSS 4.0
CVE-2025-43265 [MEDIUM] CVE-2025-43265 webkitgtk: Processing maliciously crafted web content may disclose internal states of the app
CVE-2025-43265 webkitgtk: Processing maliciously crafted web content may disclose internal states of the app
An out-of-bounds read was addressed with improved input validation. This issue is fixed in Safari 18.6, watchOS 11.6, visionOS 2.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6. Processing maliciously crafted web content may disclose internal states of the app.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2025:13780 https://access.redhat.com/errata/RHSA-2025:13780
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2025:13782 https://access.redhat.com/errata/RHSA-2025:13782
---
This issue has been addressed in the following products:
Red Hat Enterprise Linu
Bugzilla
CVE-2025-31278 webkitgtk: Processing maliciously crafted web content may lead to memory corruption
bugzilla·2025-08-04·CVSS 8.8
CVE-2025-31278 [HIGH] CVE-2025-31278 webkitgtk: Processing maliciously crafted web content may lead to memory corruption
CVE-2025-31278 webkitgtk: Processing maliciously crafted web content may lead to memory corruption
The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, iPadOS 17.7.9, watchOS 11.6, visionOS 2.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6. Processing maliciously crafted web content may lead to memory corruption.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2025:13780 https://access.redhat.com/errata/RHSA-2025:13780
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2025:13782 https://access.redhat.com/errata/RHSA-2025:13782
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9.2 Update Servi
Bugzilla
CVE-2025-43216 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash
bugzilla·2025-08-04·CVSS 6.5
CVE-2025-43216 [MEDIUM] CVE-2025-43216 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash
CVE-2025-43216 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 18.6, watchOS 11.6, iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, tvOS 18.6, macOS Sequoia 15.6, visionOS 2.6. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2025:13780 https://access.redhat.com/errata/RHSA-2025:13780
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2025:13782 https://access.redhat.com/errata/RHSA-2025:13782
---
This issue has been addressed in the following products:
Red Hat
2025-12-11
Published