Pgadmin 4 vulnerabilities
32 known vulnerabilities affecting pgadmin/pgadmin_4.
Total CVEs
32
CISA KEV
0
Public exploits
5
Exploited in wild
1
Severity breakdown
CRITICAL4HIGH14MEDIUM14
Vulnerabilities
Page 2 of 2
CVE-2026-7817P3MEDIUMCVSS 6.5≥ 9.13, < 9.152026-05-11
CVE-2026-7817 [MEDIUM] CWE-552 CVE-2026-7817: Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM A
Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints.
User-supplied api_key_file and api_url preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by pointing api_key_file at any path readable by the
nvd
CVE-2026-1707P3MEDIUMCVSS 6.3v9.112026-02-05
CVE-2026-1707 [MEDIUM] CWE-284 CVE-2026-1707: pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability
pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore operation, extract the `\restrict` key in real time, and race the restore pro
nvd
CVE-2026-7820P3MEDIUMCVSS 6.5fixed in 9.152026-05-11
CVE-2026-7820 [MEDIUM] CWE-307 CVE-2026-7820: Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4. pgAdmin enforces
Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4.
pgAdmin enforces MAX_LOGIN_ATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.init_app() and is reachable on every server, never consulted the User.locked field: pgAdmin's User mode
nvd
CVE-2022-0959P3MEDIUMCVSS 6.5fixed in 6.7vpgadmin 6.72022-03-16
CVE-2022-0959 [MEDIUM] CWE-434 CVE-2022-0959: A malicious, but authorised and authenticated user can construct an HTTP request using their existin
A malicious, but authorised and authenticated user can construct an HTTP request using their existing CSRF token and session cookie to manually upload files to any location that the operating system user account under which pgAdmin is running has permission to write.
nvd
CVE-2026-12049P4MEDIUMCVSS 6.1≥ 6.0, < 9.162026-06-19
CVE-2026-12049 [MEDIUM] CWE-601 CVE-2026-12049: Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoin
Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next= -- a link typically delivered by phishing -- would be sent to an attacker-c
nvd
CVE-2023-22298P4MEDIUMCVSS 6.1≥ 4.0, < 6.142023-01-17
CVE-2023-22298 [MEDIUM] CWE-601 CVE-2023-22298: Open redirect vulnerability in pgAdmin 4 versions prior to v6.14 allows a remote unauthenticated att
Open redirect vulnerability in pgAdmin 4 versions prior to v6.14 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.
nvd
CVE-2026-12047P4MEDIUMCVSS 5.4≥ 6.6, < 9.162026-06-19
CVE-2026-12047 [MEDIUM] CWE-79 CVE-2026-12047: HTML injection in pgAdmin 4's cloud deployment module. The verify_credentials, deploy, regions, and
HTML injection in pgAdmin 4's cloud deployment module. The verify_credentials, deploy, regions, and update-server endpoints under /rds/, /azure/, /google/, and the top-level /cloud/ blueprint propagated AWS / Azure / Google SDK exception text — and the related file-resolution and database-commit exception text — into the JSON response body (the info a
nvd
CVE-2026-12048P4MEDIUMCVSS 5.4≥ 6.0, < 9.162026-06-19
CVE-2026-12048 [MEDIUM] CWE-79 CVE-2026-12048: Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text retur
Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server (ErrorResponse messages, including object names quoted back inside relation-does-not-exist errors and inside EXPLAIN Recheck Cond / Exact Heap Blocks fields) was passed verbatim through html-react-parser at every user-facing
nvd
CVE-2024-6238P4MEDIUMCVSS 5.3fixed in 8.92024-06-25
CVE-2024-6238 [MEDIUM] CWE-276 CVE-2024-6238: pgAdmin <= 8.8 has an installation Directory permission issue. Because of this issue, attackers can
pgAdmin <= 8.8 has an installation Directory permission issue. Because of this issue, attackers can gain unauthorised access to the installation directory on the Debian or RHEL 8 platforms.
nvd
CVE-2024-4216P4MEDIUMCVSS 5.4fixed in 8.62024-05-02
CVE-2024-4216 [MEDIUM] CWE-79 CVE-2024-4216: pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This v
pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end.
nvd
CVE-2025-2946P4MEDIUMCVSS 6.1≤ 9.12025-04-03
CVE-2025-2946 [MEDIUM] CWE-79 CVE-2025-2946: pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers
pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute any arbitrary HTML/JavaScript in a user's browser through query result rendering, then HTML/JavaScript runs on the browser.
nvd
CVE-2026-7814P4MEDIUMCVSS 4.8≥ 6.9, < 9.152026-05-11
CVE-2026-7814 [MEDIUM] CWE-79 CVE-2026-7814: Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer mod
Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules.
User-controlled PostgreSQL object names (database, schema, table, column, etc.) were assigned to DOM elements via innerHTML, allowing crafted object names containing HTML markup to execute attacker-supplied JavaScript in the browser of any pgAdmin
nvd
← Previous2 / 2