Search for packages
| purl | pkg:pypi/pgadmin4@8.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-5dzq-jz9c-cfgn
Aliases: CVE-2025-12764 GHSA-cvf4-f829-762v |
pgAdmin is affected by an LDAP injection vulnerability pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username, causing the DC/LDAP server and the client to process an unusual amount of data DOS. |
Affected by 2 other vulnerabilities. |
|
VCID-77wh-gw5e-muc8
Aliases: CVE-2024-4215 GHSA-2mvc-557g-5638 |
Affected by 10 other vulnerabilities. |
|
|
VCID-9b19-nvgb-zud9
Aliases: CVE-2025-13780 GHSA-fxmw-jcgr-w44v |
pgadmin4 has a Meta-Command Filter Command Execution The PLAIN restore meta-command filter introduced in pgAdmin as part of the fix for CVE-2025-12762 does not detect meta-commands when a SQL file begins with a UTF-8 Byte Order Mark (EF BB BF) or other special byte sequences. The implemented filter uses the function `has_meta_commands()`, which scans raw bytes using a regular expression. The regex does not treat the bytes as ignorable, so meta-commands such as `\\!` remain undetected. When pgAdmin invokes psql with --file, psql strips the bytes and executes the command. This can result in remote command execution during a restore operation. |
Affected by 1 other vulnerability. |
|
VCID-chk6-9u1j-jud8
Aliases: CVE-2025-2945 GHSA-g73c-fw68-pwx3 |
Affected by 7 other vulnerabilities. |
|
|
VCID-eby7-n257-37av
Aliases: CVE-2026-1707 GHSA-3p7x-94q9-jq9x |
pgadmin4 affected by a Restore restriction bypass via key disclosure vulnerability pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore operation, extract the `\restrict` key in real time, and race the restore process by overwriting the restore script with a payload that re-enables meta-commands using `\unrestrict <key>`. This results in reliable command execution on the pgAdmin host during the restore operation. |
Affected by 0 other vulnerabilities. |
|
VCID-f6jg-w5uk-7bgh
Aliases: CVE-2024-9014 GHSA-jm9x-rx9x-wpqj |
Affected by 9 other vulnerabilities. |
|
|
VCID-gqdx-vmwg-4qh3
Aliases: CVE-2024-4216 GHSA-xv64-8p4r-94gq |
Affected by 10 other vulnerabilities. |
|
|
VCID-krfv-nb51-bkck
Aliases: CVE-2025-2946 GHSA-2rrx-pphc-qfv9 |
Affected by 7 other vulnerabilities. |
|
|
VCID-mm3y-1qbx-rfg3
Aliases: CVE-2024-3116 GHSA-27jx-ffw8-xrqv |
pgAdmin Remote Code Execution (RCE) vulnerability pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's integrity and the security of the underlying data. |
Affected by 12 other vulnerabilities. |
|
VCID-p221-f4ba-f7ep
Aliases: CVE-2025-12763 GHSA-rm79-x4g6-hvg5 |
pgAdmin 4 has command injection vulnerability on Windows systems pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input. |
Affected by 2 other vulnerabilities. |
|
VCID-q5ve-hbe7-xqfc
Aliases: CVE-2025-12765 GHSA-g4r8-3qmh-pmch |
pgAdmin has vulnerability in LDAP authentication mechanism that allows bypassing TLS certificate verification pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification. |
Affected by 2 other vulnerabilities. |
|
VCID-qpau-uavx-dydu
Aliases: CVE-2025-9636 GHSA-6859-2qxq-ffv2 |
Affected by 6 other vulnerabilities. |
|
|
VCID-wrdq-n7p4-v7dg
Aliases: CVE-2025-12762 GHSA-w2p4-p4rh-qcm3 |
pgAdmin4 vulnerable to Remote Code Execution (RCE) when running in server mode pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-zban-n2e1-suf7 | pgAdmin 4 vulnerable to Unsafe Deserialization and Remote Code Execution by an Authenticated user pgAdmin prior to version 8.4 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them and gain code execution. |
CVE-2024-2044
GHSA-rj98-crf4-g69w |