CVE-2026-7814: Vulnerability in pgadmin.org pgAdmin 4
Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules. User-controlled PostgreSQL object names (database, schema, table, column, etc.) were assigned to DOM elements via innerHTML, allowing crafted object names containing HTML markup to execute attacker-supplied JavaScript in the browser of any pgAdmin user who navigated to or executed EXPLAIN over the malicious object. Fix replaces innerHTML with textContent. This issue affects pgAdmin 4: before 9.15.
AI Analysis
Technical Summary
CVE-2026-7814 is a stored XSS vulnerability in pgAdmin 4's Browser Tree and Explain Visualizer modules. It occurs because PostgreSQL object names controlled by users are inserted into the DOM via innerHTML, allowing attackers to inject malicious JavaScript. This can lead to script execution in the context of the pgAdmin user's browser session when they navigate to or run EXPLAIN on the malicious object. The vulnerability affects versions before 9.15, including 6.9. The intended fix replaces innerHTML with textContent to safely render object names as text rather than HTML.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of pgAdmin users who interact with maliciously named PostgreSQL objects. This can lead to information disclosure or other client-side impacts within the context of the pgAdmin web interface. The CVSS score of 4.8 reflects a medium severity with low complexity and requiring user interaction and privileges to exploit.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vulnerability is fixed in pgAdmin 4 version 9.15 by replacing innerHTML with textContent. Until an official patch is available, users should avoid interacting with untrusted PostgreSQL objects with potentially malicious names. Monitor pgAdmin.org for updates and apply the official fix once released.
CVE-2026-7814: Vulnerability in pgadmin.org pgAdmin 4
Description
Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules. User-controlled PostgreSQL object names (database, schema, table, column, etc.) were assigned to DOM elements via innerHTML, allowing crafted object names containing HTML markup to execute attacker-supplied JavaScript in the browser of any pgAdmin user who navigated to or executed EXPLAIN over the malicious object. Fix replaces innerHTML with textContent. This issue affects pgAdmin 4: before 9.15.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-7814 is a stored XSS vulnerability in pgAdmin 4's Browser Tree and Explain Visualizer modules. It occurs because PostgreSQL object names controlled by users are inserted into the DOM via innerHTML, allowing attackers to inject malicious JavaScript. This can lead to script execution in the context of the pgAdmin user's browser session when they navigate to or run EXPLAIN on the malicious object. The vulnerability affects versions before 9.15, including 6.9. The intended fix replaces innerHTML with textContent to safely render object names as text rather than HTML.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of pgAdmin users who interact with maliciously named PostgreSQL objects. This can lead to information disclosure or other client-side impacts within the context of the pgAdmin web interface. The CVSS score of 4.8 reflects a medium severity with low complexity and requiring user interaction and privileges to exploit.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vulnerability is fixed in pgAdmin 4 version 9.15 by replacing innerHTML with textContent. Until an official patch is available, users should avoid interacting with untrusted PostgreSQL objects with potentially malicious names. Monitor pgAdmin.org for updates and apply the official fix once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- PostgreSQL
- Date Reserved
- 2026-05-04T21:26:56.561Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a01f792cbff5d86102f20f7
Added to database: 5/11/2026, 3:36:50 PM
Last enriched: 5/11/2026, 3:53:24 PM
Last updated: 5/12/2026, 3:31:14 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.