VulnerableCode Package Details - pkg:pypi/pgadmin4@9.11

Search for packages

Vulnerability	Summary	Fixed by
VCID-eby7-n257-37av Aliases: CVE-2026-1707 GHSA-3p7x-94q9-jq9x	pgadmin4 affected by a Restore restriction bypass via key disclosure vulnerability pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore operation, extract the `\restrict` key in real time, and race the restore process by overwriting the restore script with a payload that re-enables meta-commands using `\unrestrict <key>`. This results in reliable command execution on the pgAdmin host during the restore operation.	9.12 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-eby7-n257-37av
Aliases:
CVE-2026-1707
GHSA-3p7x-94q9-jq9x

pgadmin4 affected by a Restore restriction bypass via key disclosure vulnerability pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore operation, extract the `\restrict` key in real time, and race the restore process by overwriting the restore script with a payload that re-enables meta-commands using `\unrestrict <key>`. This results in reliable command execution on the pgAdmin host during the restore operation.

9.12
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-9b19-nvgb-zud9	pgadmin4 has a Meta-Command Filter Command Execution The PLAIN restore meta-command filter introduced in pgAdmin as part of the fix for CVE-2025-12762 does not detect meta-commands when a SQL file begins with a UTF-8 Byte Order Mark (EF BB BF) or other special byte sequences. The implemented filter uses the function `has_meta_commands()`, which scans raw bytes using a regular expression. The regex does not treat the bytes as ignorable, so meta-commands such as `\\!` remain undetected. When pgAdmin invokes psql with --file, psql strips the bytes and executes the command. This can result in remote command execution during a restore operation.	CVE-2025-13780 GHSA-fxmw-jcgr-w44v

Vulnerability

Summary

Aliases

VCID-9b19-nvgb-zud9

pgadmin4 has a Meta-Command Filter Command Execution The PLAIN restore meta-command filter introduced in pgAdmin as part of the fix for CVE-2025-12762 does not detect meta-commands when a SQL file begins with a UTF-8 Byte Order Mark (EF BB BF) or other special byte sequences. The implemented filter uses the function `has_meta_commands()`, which scans raw bytes using a regular expression. The regex does not treat the bytes as ignorable, so meta-commands such as `\\!` remain undetected. When pgAdmin invokes psql with --file, psql strips the bytes and executes the command. This can result in remote command execution during a restore operation.

CVE-2025-13780
GHSA-fxmw-jcgr-w44v

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-01T09:34:36.634685+00:00	GitLab Importer	Affected by	VCID-eby7-n257-37av	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pgadmin4/CVE-2026-1707.yml	38.6.0
2026-05-31T11:00:41.664177+00:00	GithubOSV Importer	Fixing	VCID-9b19-nvgb-zud9	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-fxmw-jcgr-w44v/GHSA-fxmw-jcgr-w44v.json	38.6.0
2026-05-31T01:06:12.884959+00:00	GHSA Importer	Fixing	VCID-9b19-nvgb-zud9	https://github.com/advisories/GHSA-fxmw-jcgr-w44v	38.6.0
2026-05-30T21:05:31.041481+00:00	GitLab Importer	Fixing	VCID-9b19-nvgb-zud9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pgadmin4/CVE-2025-13780.yml	38.6.0