CVE-2025-60797 identifies a SQL injection vulnerability in phpPgAdmin, an open-source web-based administration tool for PostgreSQL databases. The vulnerability exists in the dataexport.php file at line 118, where the application executes SQL queries directly from the $_REQUEST['query'] parameter using $data->conn->Execute($_REQUEST['query']) without any input validation, sanitization, or use of prepared statements. This lack of input handling allows an authenticated attacker to inject malicious SQL code, which the database executes with the privileges of the phpPgAdmin user. Exploitation can lead to unauthorized data access, data theft, or privilege escalation within the database environment. The vulnerability requires the attacker to be authenticated, which limits exposure but still presents a serious risk if credentials are compromised or weak. The CVSS v3.1 base score of 6.5 reflects a network attack vector with low complexity, requiring privileges but no user interaction, and impacts confidentiality with no direct impact on integrity or availability. No patches or known exploits are currently available, indicating the need for proactive mitigation. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

For European organizations using phpPgAdmin to manage PostgreSQL databases, this vulnerability could lead to significant data breaches, including unauthorized access to sensitive or regulated data. The ability to execute arbitrary SQL commands can compromise database confidentiality and potentially allow attackers to escalate privileges within the database environment. This could disrupt business operations, lead to regulatory non-compliance (e.g., GDPR violations), and damage organizational reputation. Since phpPgAdmin is commonly used in academic, governmental, and private sectors across Europe, the risk extends to critical infrastructure and sensitive data repositories. The requirement for authentication reduces the attack surface but does not eliminate risk, especially in environments with weak credential management or exposed phpPgAdmin interfaces. The absence of known exploits suggests a window of opportunity for defenders to implement mitigations before active exploitation occurs.

1. Immediately restrict access to phpPgAdmin interfaces to trusted networks and users only, using network segmentation and firewall rules. 2. Enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. 3. Monitor and audit phpPgAdmin access logs for suspicious activity or unauthorized login attempts. 4. Where possible, disable or remove the vulnerable dataexport.php functionality if not required. 5. Implement web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'query' parameter. 6. Apply principle of least privilege to database users associated with phpPgAdmin to limit the impact of any successful injection. 7. Stay alert for official patches or updates from phpPgAdmin maintainers and apply them promptly once available. 8. Educate administrators on the risks of executing arbitrary SQL queries and encourage use of parameterized queries or prepared statements in custom scripts. 9. Conduct regular vulnerability assessments and penetration tests focusing on database management interfaces.