CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-13780 – Remote Code Execution vulnerability when restoring PLAIN-format SQL dumps in server mode (pgAdmin 4)
https://notcve.org/view.php?id=CVE-2025-13780
11 Dec 2025 — pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data. These are all security issues fixed in the pgadmin4-9.11-1.1 package on the GA media of openSUSE Tumbleweed. • https://packetstorm.news/files/id/213056 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12765 – pgAdmin 4: LDAP authentication flow vulnerable to TLS certificate verification bypass.
https://notcve.org/view.php?id=CVE-2025-12765
13 Nov 2025 — pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification. pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification. This update for pgadmin4 fixes the following issues. Insufficient checks in the LDAP authentication flow allow a for bypass of TLS certificate validation that can lead to the stealing of bind credentials and the altering of directory responses. Imprope... • https://github.com/pgadmin-org/pgadmin4/issues/9324 • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12764 – pgAdmin 4: LDAP injection vulnerability in LDAP authentication flow.
https://notcve.org/view.php?id=CVE-2025-12764
13 Nov 2025 — pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username, causing the DC/LDAP server and the client to process an unusual amount of data DOS. This update for pgadmin4 fixes the following issues. Insufficient checks in the LDAP authentication flow allow a for bypass of TLS certificate validation that can lead to the stealing of bind credentials and the altering of directory responses. Improper valid... • https://github.com/pgadmin-org/pgadmin4/issues/9325 • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12763 – Command injection vulnerability allowing arbitrary command execution on Windows
https://notcve.org/view.php?id=CVE-2025-12763
13 Nov 2025 — pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input. These are all security issues fixed in the pgadmin4-9.11-1.1 package on the GA media of openSUSE Tumbleweed. • https://github.com/pgadmin-org/pgadmin4/issues/9323 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12762 – Remote Code Execution vulnerability when restoring PLAIN-format SQL dumps in server mode (pgAdmin 4)
https://notcve.org/view.php?id=CVE-2025-12762
13 Nov 2025 — pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data. These are all security issues fixed in the pgadmin4-9.11-1.1 package on the GA media of openSUSE Tumbleweed. • https://github.com/pgadmin-org/pgadmin4/issues/9320 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9636 – Cross-Origin Opener Policy Vulnerability in pgAdmin 4
https://notcve.org/view.php?id=CVE-2025-9636
04 Sep 2025 — pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. This vulnerability allows an attacker to manipulate the OAuth flow, potentially leading to unauthorised account access, account takeover, data breaches, and privilege escalation. pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. This vulnerability allows an attacker to manipulate the OAuth flow, potentially leading to unauthorised account access, account takeover, data breaches, and privilege esca... • https://github.com/pgadmin-org/pgadmin4/issues/9114 • CWE-346: Origin Validation Error •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2946 – Cross-Site Vulnerability(XSS) due to arbitrary HTML/JavaScript gets executed while query result rendering in Query Tool and View/Edit Data Tool of pgAdmin 4
https://notcve.org/view.php?id=CVE-2025-2946
03 Apr 2025 — pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute any arbitrary HTML/JavaScript in a user's browser through query result rendering, then HTML/JavaScript runs on the browser. pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute any arbitrary HTML/JavaScript in a user's browser through query result rendering, then HTML/JavaScript runs on the browser. These are all security issues fixed in the pgadm... • https://github.com/pgadmin-org/pgadmin4/issues/8602 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 77%CPEs: 1EXPL: 3CVE-2025-2945 – pgAdmin 4: Remote Code Execution in Query Tool and Cloud Deployment
https://notcve.org/view.php?id=CVE-2025-2945
03 Apr 2025 — Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules). The vulnerability is associated with the 2 POST endpoints; /sqleditor/query_tool/download, where the query_commited parameter and /cloud/deploy endpoint, where the high_availability parameter is unsafely passed to the Python eval() function, allowing arbitrary code execution. This issue affects pgAdmin 4: before 9.2. Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment m... • https://packetstorm.news/files/id/190447 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 92%CPEs: 1EXPL: 3CVE-2024-9014 – OAuth2 client id and secret exposed through the web browser in pgAdmin 4
https://notcve.org/view.php?id=CVE-2024-9014
23 Sep 2024 — pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data. This update for pgadmin4 fixes the following issues. Fixed socket.io: unhandled 'error' event. Fixed requirejs: prototype pollution via function config. • https://packetstorm.news/files/id/181851 • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6238 – pgAdmin 4 Installation Directory permission issue
https://notcve.org/view.php?id=CVE-2024-6238
25 Jun 2024 — pgAdmin <= 8.8 has an installation Directory permission issue. Because of this issue, attackers can gain unauthorised access to the installation directory on the Debian or RHEL 8 platforms. pgAdmin <= 8.8 has an installation Directory permission issue. Because of this issue, attackers can gain unauthorised access to the installation directory on the Debian or RHEL 8 platforms. These are all security issues fixed in the pgadmin4-9.2-1.1 package on the GA media of openSUSE Tumbleweed. • https://github.com/pgadmin-org/pgadmin4/issues/7605 • CWE-276: Incorrect Default Permissions •