CVE-2025-13780 — Code Injection in Pgadmin 4

CWE-94 — Code Injection CWE-77 — Command Injection5 documents5 sources

Severity

8.8HIGHNVD

CNA9.1GHSA9.8OSV9.8

EPSS

0.2%

top 61.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pgadmin.org Pgadmin 4 Pgadmin 4

Timeline

PublishedDec 11

Description

pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDpgadmin/pgadmin_49.10

▶CVEListV5pgadmin.org/pgadmin_49.10

🔴Vulnerability Details

CVEList

Remote Code Execution vulnerability when restoring PLAIN-format SQL dumps in server mode (pgAdmin 4)↗2025-12-11

▶

GHSA

pgadmin4 has a Meta-Command Filter Command Execution↗2025-12-11

▶

OSV

pgadmin4 has a Meta-Command Filter Command Execution↗2025-12-11

▶

🕵️Threat Intelligence

Wiz

CVE-2025-13780 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶