CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2946 – Cross-Site Vulnerability(XSS) due to arbitrary HTML/JavaScript gets executed while query result rendering in Query Tool and View/Edit Data Tool of pgAdmin 4
https://notcve.org/view.php?id=CVE-2025-2946
03 Apr 2025 — pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute any arbitrary HTML/JavaScript in a user's browser through query result rendering, then HTML/JavaScript runs on the browser. pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute any arbitrary HTML/JavaScript in a user's browser through query result rendering, then HTML/JavaScript runs on the browser. • https://github.com/pgadmin-org/pgadmin4/issues/8602 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2945 – pgAdmin 4: Remote Code Execution in Query Tool and Cloud Deployment
https://notcve.org/view.php?id=CVE-2025-2945
03 Apr 2025 — Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules). The vulnerability is associated with the 2 POST endpoints; /sqleditor/query_tool/download, where the query_commited parameter and /cloud/deploy endpoint, where the high_availability parameter is unsafely passed to the Python eval() function, allowing arbitrary code execution. This issue affects pgAdmin 4: before 9.2. Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment m... • https://github.com/pgadmin-org/pgadmin4/issues/8603 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 87%CPEs: 1EXPL: 2CVE-2024-9014 – OAuth2 client id and secret exposed through the web browser in pgAdmin 4
https://notcve.org/view.php?id=CVE-2024-9014
23 Sep 2024 — pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data. • https://packetstorm.news/files/id/181851 • CWE-522: Insufficiently Protected Credentials •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6238 – pgAdmin 4 Installation Directory permission issue
https://notcve.org/view.php?id=CVE-2024-6238
25 Jun 2024 — pgAdmin <= 8.8 has an installation Directory permission issue. Because of this issue, attackers can gain unauthorised access to the installation directory on the Debian or RHEL 8 platforms. pgAdmin <= 8.8 has an installation Directory permission issue. Because of this issue, attackers can gain unauthorised access to the installation directory on the Debian or RHEL 8 platforms. • https://github.com/pgadmin-org/pgadmin4/issues/7605 • CWE-276: Incorrect Default Permissions •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4216 – XSS vulnerability in /settings/store API response json payload in pgAdmin 4
https://notcve.org/view.php?id=CVE-2024-4216
02 May 2024 — pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end. pgAdmin <= 8.5 se ve afectado por una vulnerabilidad XSS en el payload json de respuesta API /settings/store. Esta vulnerabilidad permite a los atacantes ejecutar scripts maliciosos en el extremo del cliente. • https://github.com/pgadmin-org/pgadmin4/issues/7282 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4215 – The Multi Factor Authentication bypass vulnerability in pgAdmin 4
https://notcve.org/view.php?id=CVE-2024-4215
02 May 2024 — pgAdmin <= 8.5 is affected by a multi-factor authentication bypass vulnerability. This vulnerability allows an attacker with knowledge of a legitimate account’s username and password may authenticate to the application and perform sensitive actions within the application, such as managing files and executing SQL queries, regardless of the account’s MFA enrollment status. pgAdmin <= 8.5 se ve afectado por una vulnerabilidad de omisión de autenticación multifactor. Esta vulnerabilidad permite que un atacan... • https://github.com/pgadmin-org/pgadmin4/issues/7425 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 85%CPEs: 1EXPL: 2CVE-2024-3116 – Remote Code Execution Vulnerability through the validate binary path API in pgAdmin 4
https://notcve.org/view.php?id=CVE-2024-3116
04 Apr 2024 — pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's integrity and the security of the underlying data. pgAdmin <= 8.4 se ve afectado por una vulnerabilidad de ejecución remota de código (RCE) a través de la API de validación de ruta binaria. Esta vulnerabilidad permite a los atacantes ejecutar códi... • https://packetstorm.news/files/id/180464 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.9EPSS: 73%CPEs: 1EXPL: 1CVE-2024-2044 – Unsafe Deserialisation and Remote Code Execution by an Authenticated user in pgAdmin 4
https://notcve.org/view.php?id=CVE-2024-2044
07 Mar 2024 — pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution. pgAdmin 4 utiliza un enfoque de gestión de sesiones basado en archivos. Los archivos de sesión se guardan en el... • https://packetstorm.news/files/id/178098 • CWE-31: Path Traversal: 'dir\..\..\filename' •
CVSS: 9.0EPSS: 14%CPEs: 3EXPL: 0CVE-2023-5002 – Pgadmin4: remote code execution by an authenticated user
https://notcve.org/view.php?id=CVE-2023-5002
22 Sep 2023 — A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server. Se encontró una falla en pgAdmin. Este problema ocurre cuando la API HTTP del servidor pgAdmin valida la ruta que un usuario selecciona a las utilidades externas d... • https://bugzilla.redhat.com/show_bug.cgi?id=2239164 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22298
https://notcve.org/view.php?id=CVE-2023-22298
17 Jan 2023 — Open redirect vulnerability in pgAdmin 4 versions prior to v6.14 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL. La vulnerabilidad de redireccionamiento abierto en las versiones de pgAdmin 4 anteriores a la v6.14 permite que un atacante remoto no autenticado redirija a un usuario a un sitio web arbitrario y realice un ataque de phishing haciendo que el usuario acceda a una URL especialmente... • https://github.com/pgadmin-org/pgadmin4 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •