Pgadmin.Org Pgadmin 4 vulnerabilities
30 known vulnerabilities affecting pgadmin.org/pgadmin_4.
Total CVEs
30
CISA KEV
0
Public exploits
4
Exploited in wild
1
Severity breakdown
CRITICAL6HIGH13MEDIUM11
Vulnerabilities
Page 2 of 2
CVE-2026-7817P3MEDIUMCVSS 6.5≥ 9.13, < 9.152026-05-11
CVE-2026-7817 [MEDIUM] CWE-552 CVE-2026-7817: Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM A
Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints.
User-supplied api_key_file and api_url preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by pointing api_key_file at any path readable by the
nvd
CVE-2026-1707P3MEDIUMCVSS 6.3v9.112026-02-05
CVE-2026-1707 [MEDIUM] CWE-284 CVE-2026-1707: pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability
pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore operation, extract the `\restrict` key in real time, and race the restore pro
nvd
CVE-2026-7820P3MEDIUMCVSS 6.5fixed in 9.152026-05-11
CVE-2026-7820 [MEDIUM] CWE-307 CVE-2026-7820: Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4. pgAdmin enforces
Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4.
pgAdmin enforces MAX_LOGIN_ATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.init_app() and is reachable on every server, never consulted the User.locked field: pgAdmin's User mode
nvd
CVE-2026-12049P4MEDIUMCVSS 6.1≥ 6.0, < 9.162026-06-19
CVE-2026-12049 [MEDIUM] CWE-601 CVE-2026-12049: Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoin
Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next= -- a link typically delivered by phishing -- would be sent to an attacker-c
nvd
CVE-2026-12047P4MEDIUMCVSS 5.4≥ 6.6, < 9.162026-06-19
CVE-2026-12047 [MEDIUM] CWE-79 CVE-2026-12047: HTML injection in pgAdmin 4's cloud deployment module. The verify_credentials, deploy, regions, and
HTML injection in pgAdmin 4's cloud deployment module. The verify_credentials, deploy, regions, and update-server endpoints under /rds/, /azure/, /google/, and the top-level /cloud/ blueprint propagated AWS / Azure / Google SDK exception text — and the related file-resolution and database-commit exception text — into the JSON response body (the info a
nvd
CVE-2026-12048P4MEDIUMCVSS 5.4≥ 6.0, < 9.162026-06-19
CVE-2026-12048 [MEDIUM] CWE-79 CVE-2026-12048: Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text retur
Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server (ErrorResponse messages, including object names quoted back inside relation-does-not-exist errors and inside EXPLAIN Recheck Cond / Exact Heap Blocks fields) was passed verbatim through html-react-parser at every user-facing
nvd
CVE-2024-6238P4MEDIUMCVSS 5.3fixed in 8.92024-06-25
CVE-2024-6238 [MEDIUM] CWE-276 CVE-2024-6238: pgAdmin <= 8.8 has an installation Directory permission issue. Because of this issue, attackers can
pgAdmin <= 8.8 has an installation Directory permission issue. Because of this issue, attackers can gain unauthorised access to the installation directory on the Debian or RHEL 8 platforms.
nvd
CVE-2024-4216P4MEDIUMCVSS 5.4fixed in 8.62024-05-02
CVE-2024-4216 [MEDIUM] CWE-79 CVE-2024-4216: pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This v
pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end.
nvd
CVE-2025-2946P4MEDIUMCVSS 6.1fixed in 9.22025-04-03
CVE-2025-2946 [MEDIUM] CWE-79 CVE-2025-2946: pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers
pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute any arbitrary HTML/JavaScript in a user's browser through query result rendering, then HTML/JavaScript runs on the browser.
nvd
CVE-2026-7814P4MEDIUMCVSS 4.8≥ 6.9, < 9.152026-05-11
CVE-2026-7814 [MEDIUM] CWE-79 CVE-2026-7814: Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer mod
Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules.
User-controlled PostgreSQL object names (database, schema, table, column, etc.) were assigned to DOM elements via innerHTML, allowing crafted object names containing HTML markup to execute attacker-supplied JavaScript in the browser of any pgAdmin
nvd
← Previous2 / 2