Search for packages
| purl | pkg:pypi/pgadmin4@9.8 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-5dzq-jz9c-cfgn
Aliases: CVE-2025-12764 GHSA-cvf4-f829-762v |
pgAdmin is affected by an LDAP injection vulnerability pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username, causing the DC/LDAP server and the client to process an unusual amount of data DOS. |
Affected by 2 other vulnerabilities. |
|
VCID-9b19-nvgb-zud9
Aliases: CVE-2025-13780 GHSA-fxmw-jcgr-w44v |
pgadmin4 has a Meta-Command Filter Command Execution The PLAIN restore meta-command filter introduced in pgAdmin as part of the fix for CVE-2025-12762 does not detect meta-commands when a SQL file begins with a UTF-8 Byte Order Mark (EF BB BF) or other special byte sequences. The implemented filter uses the function `has_meta_commands()`, which scans raw bytes using a regular expression. The regex does not treat the bytes as ignorable, so meta-commands such as `\\!` remain undetected. When pgAdmin invokes psql with --file, psql strips the bytes and executes the command. This can result in remote command execution during a restore operation. |
Affected by 1 other vulnerability. |
|
VCID-eby7-n257-37av
Aliases: CVE-2026-1707 GHSA-3p7x-94q9-jq9x |
pgadmin4 affected by a Restore restriction bypass via key disclosure vulnerability pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore operation, extract the `\restrict` key in real time, and race the restore process by overwriting the restore script with a payload that re-enables meta-commands using `\unrestrict <key>`. This results in reliable command execution on the pgAdmin host during the restore operation. |
Affected by 0 other vulnerabilities. |
|
VCID-p221-f4ba-f7ep
Aliases: CVE-2025-12763 GHSA-rm79-x4g6-hvg5 |
pgAdmin 4 has command injection vulnerability on Windows systems pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input. |
Affected by 2 other vulnerabilities. |
|
VCID-q5ve-hbe7-xqfc
Aliases: CVE-2025-12765 GHSA-g4r8-3qmh-pmch |
pgAdmin has vulnerability in LDAP authentication mechanism that allows bypassing TLS certificate verification pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification. |
Affected by 2 other vulnerabilities. |
|
VCID-wrdq-n7p4-v7dg
Aliases: CVE-2025-12762 GHSA-w2p4-p4rh-qcm3 |
pgAdmin4 vulnerable to Remote Code Execution (RCE) when running in server mode pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-qpau-uavx-dydu |
CVE-2025-9636
GHSA-6859-2qxq-ffv2 |