CVE-2026-12047
published 2026-06-19CVE-2026-12047: HTML injection in pgAdmin 4's cloud deployment module. The verify_credentials, deploy, regions, and update-server endpoints under /rds/, /azure/, /google/, and…
PriorityP428medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.14%
3.5th percentile
HTML injection in pgAdmin 4's cloud deployment module. The verify_credentials, deploy, regions, and update-server endpoints under /rds/, /azure/, /google/, and the top-level /cloud/ blueprint propagated AWS / Azure / Google SDK exception text — and the related file-resolution and database-commit exception text — into the JSON response body (the info and errormsg fields) without HTML-encoding. The Cloud Wizard frontend rendered these strings through html-react-parser, so an attacker-influenced exception message embedded structural HTML directly into the wizard's DOM.
The reported entry point is /rds/verify_credentials/. An authenticated pgAdmin user submits a crafted access_key whose value contains an payload; AWS STS rejects the credential with an IncompleteSignature exception whose text quotes the access_key verbatim; the pgAdmin backend forwards that text into the JSON info field; the Cloud Wizard's FormFooterMessage parses it as HTML. The browser fetches the iframe's src from an attacker-controlled host, and JavaScript executing inside the cross-origin iframe writes to parent.location, redirecting the victim's pgAdmin tab. Because the injection renders inside pgAdmin's own interface, X-Frame-Options and Content-Security-Policy frame-ancestors do not mitigate it. Baseline impact is self-targeted (the same user who supplied the payload sees the injection); escalation against other authenticated users requires an additional cross-site request-forgery primitive capable of submitting the malformed credential request with a valid X-pgA-CSRFToken in the victim's browser context.
The same unsanitised-error-into-JSON pattern was present across multiple sibling endpoints — Azure's check_cluster_name_availability, every Google endpoint that surfaces SDK errors (verification_ack, projects, regions, instance_types, database_versions, the verify_credentials path-resolution branches), the central /deploy endpoint that bubbles str(e) from deploy_on_rds / deploy_on_azure / depl
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pgadmin.org | pgadmin_4 | >= 6.6 < 9.16 | 9.16 |
| pgadmin | pgadmin_4 | >= 6.6 < 9.16 | 9.16 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.04.8MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat4.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
pgadmin4: pgAdmin 4: HTML injection via unsanitized SDK exception messages in cloud deployment module
vendor_redhat·2026-06-18·CVSS 4.6
CVE-2026-12047 [MEDIUM] CWE-79 pgadmin4: pgAdmin 4: HTML injection via unsanitized SDK exception messages in cloud deployment module
pgadmin4: pgAdmin 4: HTML injection via unsanitized SDK exception messages in cloud deployment module
A flaw was found in pgAdmin 4. An authenticated pgAdmin user can exploit an HTML injection vulnerability in the cloud deployment module. By submitting a crafted input that triggers an SDK exception, an attacker can embed structural HTML directly into the Cloud Wizard's interface. This can lead to client-side redirection or the execution of arbitrary code within the user's browser, potentially enabling information disclosure or further attacks.
Statement: Moderate: An HTML injection vulnerability in pgAdmin 4's cloud deployment module allows an authenticated user to embed malicious HTML into the Cloud Wizard interface. This flaw, triggered by crafted input causing an SDK exception, can le
GHSA
HTML injection in pgAdmin 4's cloud deployment module.
ghsa_unreviewed·2026-06-19
CVE-2026-12047 [MEDIUM] CWE-79 HTML injection in pgAdmin 4's cloud deployment module.
HTML injection in pgAdmin 4's cloud deployment module. The verify_credentials, deploy, regions, and update-server endpoints under /rds/, /azure/, /google/, and the top-level /cloud/ blueprint propagated AWS / Azure / Google SDK exception text — and the related file-resolution and database-commit exception text — into the JSON response body (the info and errormsg fields) without HTML-encoding. The Cloud Wizard frontend rendered these strings through html-react-parser, so an attacker-influenced exception message embedded structural HTML directly into the wizard's DOM.
The reported entry point is /rds/verify_credentials/. An authenticated pgAdmin user submits a crafted access_key whose value contains an payload; AWS STS rejects the credential with an IncompleteSignature exception whose text
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-12047 pgadmin4: pgAdmin 4: HTML injection via unsanitized SDK exception messages in cloud deployment module
bugzilla·2026-06-19
CVE-2026-12047 [MEDIUM] CVE-2026-12047 pgadmin4: pgAdmin 4: HTML injection via unsanitized SDK exception messages in cloud deployment module
CVE-2026-12047 pgadmin4: pgAdmin 4: HTML injection via unsanitized SDK exception messages in cloud deployment module
HTML injection in pgAdmin 4's cloud deployment module. The verify_credentials, deploy, regions, and update-server endpoints under /rds/, /azure/, /google/, and the top-level /cloud/ blueprint propagated AWS / Azure / Google SDK exception text — and the related file-resolution and database-commit exception text — into the JSON response body (the info and errormsg fields) without HTML-encoding. The Cloud Wizard frontend rendered these strings through html-react-parser, so an attacker-influenced exception message embedded structural HTML directly into the wizard's DOM.
The reported entry point is /rds/verify_credentials/. An authenticated pgAdmin user submits a crafted access
Bugzilla
CVE-2026-12047 pgadmin4: pgAdmin 4: HTML injection via unsanitized SDK exception messages in cloud deployment module [fedora-all]
bugzilla·2026-06-19
CVE-2026-12047 [MEDIUM] CVE-2026-12047 pgadmin4: pgAdmin 4: HTML injection via unsanitized SDK exception messages in cloud deployment module [fedora-all]
CVE-2026-12047 pgadmin4: pgAdmin 4: HTML injection via unsanitized SDK exception messages in cloud deployment module [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-c248414214 (pgadmin4-9.16-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-c248414214
---
FEDORA-2026-5938be3b09 (pgadmin4-9.16-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-5938be3b09
---
FEDORA-2026-c248414214 has been pushed to the Fedora 44 testing repository.
Soon you'll be able to install th
2026-06-19
Published