CVE-2026-12048: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pgadmin.org pgAdmin 4
CVE-2026-12048 is a critical stored cross-site scripting (XSS) vulnerability in pgAdmin 4 affecting versions from 6.0 up to but not including 9.16. The vulnerability arises from improper neutralization of input during web page generation, where text returned by a PostgreSQL server is passed without sanitization into multiple user-facing components. This allows an attacker controlling a PostgreSQL server or influencing object names to inject arbitrary HTML, including iframes, into the pgAdmin interface. The injected content can execute attacker-controlled JavaScript and redirect the user's browser tab to malicious sites. Standard anti-clickjacking protections do not mitigate this issue due to the injection originating within pgAdmin's own DOM. The vendor has implemented a multi-layered fix involving DOMPurify sanitization, introduction of plain-text rendering components, and backend HTML escaping. No official patch release or advisory link is provided yet.
AI Analysis
Technical Summary
This vulnerability is a stored cross-site scripting (CWE-79) flaw in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server, including error messages and explain plan details, was passed verbatim through html-react-parser to various user interface components without proper sanitization. An attacker controlling a PostgreSQL server or influencing database object names can inject arbitrary HTML, including iframes, into the pgAdmin DOM when a victim connects or views an explain plan referencing crafted objects. The injected iframe can load attacker JavaScript and redirect the top-level pgAdmin browser tab. Because the injection occurs inside pgAdmin's interface, typical anti-clickjacking headers do not prevent exploitation. The fix involves three layers: wrapping html-react-parser calls with DOMPurify sanitization, migrating many UI components to use plain-text rendering contracts, and applying backend HTML escaping to prevent raw markup in API consumers. The affected versions are pgAdmin 4 from 6.0 up to but not including 9.16.
Potential Impact
Successful exploitation allows an attacker controlling a PostgreSQL server or influencing database object names to inject arbitrary HTML and JavaScript into the pgAdmin 4 interface of a connected user. This can lead to execution of attacker-controlled scripts within the context of the pgAdmin application, enabling redirection of the user's browser tab to attacker-controlled URLs. The vulnerability compromises confidentiality and integrity (CVSS impact: high), but does not affect availability. Standard anti-clickjacking protections do not mitigate this risk due to the injection originating internally within the application DOM.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vendor has described a comprehensive fix involving DOMPurify sanitization, introduction of safe plain-text rendering components, and backend HTML escaping. Users should monitor pgAdmin.org for official patches or updates addressing CVE-2026-12048 and apply them once available. Until patched, users should exercise caution when connecting pgAdmin 4 versions 6.0 through 9.15 to untrusted PostgreSQL servers or servers where attacker-controlled object names may exist.
CVE-2026-12048: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pgadmin.org pgAdmin 4
Description
CVE-2026-12048 is a critical stored cross-site scripting (XSS) vulnerability in pgAdmin 4 affecting versions from 6.0 up to but not including 9.16. The vulnerability arises from improper neutralization of input during web page generation, where text returned by a PostgreSQL server is passed without sanitization into multiple user-facing components. This allows an attacker controlling a PostgreSQL server or influencing object names to inject arbitrary HTML, including iframes, into the pgAdmin interface. The injected content can execute attacker-controlled JavaScript and redirect the user's browser tab to malicious sites. Standard anti-clickjacking protections do not mitigate this issue due to the injection originating within pgAdmin's own DOM. The vendor has implemented a multi-layered fix involving DOMPurify sanitization, introduction of plain-text rendering components, and backend HTML escaping. No official patch release or advisory link is provided yet.
CVSS v3.1
Score 9.3critical
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability is a stored cross-site scripting (CWE-79) flaw in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server, including error messages and explain plan details, was passed verbatim through html-react-parser to various user interface components without proper sanitization. An attacker controlling a PostgreSQL server or influencing database object names can inject arbitrary HTML, including iframes, into the pgAdmin DOM when a victim connects or views an explain plan referencing crafted objects. The injected iframe can load attacker JavaScript and redirect the top-level pgAdmin browser tab. Because the injection occurs inside pgAdmin's interface, typical anti-clickjacking headers do not prevent exploitation. The fix involves three layers: wrapping html-react-parser calls with DOMPurify sanitization, migrating many UI components to use plain-text rendering contracts, and applying backend HTML escaping to prevent raw markup in API consumers. The affected versions are pgAdmin 4 from 6.0 up to but not including 9.16.
Potential Impact
Successful exploitation allows an attacker controlling a PostgreSQL server or influencing database object names to inject arbitrary HTML and JavaScript into the pgAdmin 4 interface of a connected user. This can lead to execution of attacker-controlled scripts within the context of the pgAdmin application, enabling redirection of the user's browser tab to attacker-controlled URLs. The vulnerability compromises confidentiality and integrity (CVSS impact: high), but does not affect availability. Standard anti-clickjacking protections do not mitigate this risk due to the injection originating internally within the application DOM.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vendor has described a comprehensive fix involving DOMPurify sanitization, introduction of safe plain-text rendering components, and backend HTML escaping. Users should monitor pgAdmin.org for official patches or updates addressing CVE-2026-12048 and apply them once available. Until patched, users should exercise caution when connecting pgAdmin 4 versions 6.0 through 9.15 to untrusted PostgreSQL servers or servers where attacker-controlled object names may exist.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- PostgreSQL
- Date Reserved
- 2026-06-11T20:40:08.398Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a357432f198dc38c1bc0d3d
Added to database: 6/19/2026, 4:54:10 PM
Last enriched: 6/19/2026, 4:55:09 PM
Last updated: 6/19/2026, 6:03:11 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.