CVE-2025-60797
published 2025-11-20CVE-2025-60797: phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied SQL queries…
PriorityP346medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.23%
14.0th percentile
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied SQL queries from the $_REQUEST['query'] parameter without any sanitization or parameterization via $data->conn->Execute($_REQUEST['query']). An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or privilege escalation.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | phppgadmin | — | — |
| phppgadmin | phppgadmin | 0 – 7.13.0 | — |
| phppgadmin_project | phppgadmin | <= 7.13.0 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-60797: phpPgAdmin 7
osv·2025-11-20·CVSS 6.5
CVE-2025-60797 [MEDIUM] CVE-2025-60797: phpPgAdmin 7
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied SQL queries from the $_REQUEST['query'] parameter without any sanitization or parameterization via $data->conn->Execute($_REQUEST['query']). An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or privilege escalation.
OSV
phppgadmin contains a SQL injection vulnerability
osv·2025-11-20
CVE-2025-60797 [MEDIUM] phppgadmin contains a SQL injection vulnerability
phppgadmin contains a SQL injection vulnerability
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied SQL queries from the $_REQUEST['query'] parameter without any sanitization or parameterization via $data->conn->Execute($_REQUEST['query']). An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or privilege escalation.
GHSA
phppgadmin contains a SQL injection vulnerability
ghsa·2025-11-20
CVE-2025-60797 [MEDIUM] CWE-89 phppgadmin contains a SQL injection vulnerability
phppgadmin contains a SQL injection vulnerability
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied SQL queries from the $_REQUEST['query'] parameter without any sanitization or parameterization via $data->conn->Execute($_REQUEST['query']). An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or privilege escalation.
Debian
CVE-2025-60797: phppgadmin - phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexpo...
vendor_debian·2025·CVSS 6.5
CVE-2025-60797 [MEDIUM] CVE-2025-60797: phppgadmin - phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexpo...
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied SQL queries from the $_REQUEST['query'] parameter without any sanitization or parameterization via $data->conn->Execute($_REQUEST['query']). An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or privilege escalation.
Scope: local
forky: undetermined
sid: undetermined
trixie: undetermined
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-20
Published