This vulnerability arises from user-supplied input being directly interpolated into a psql \copy metacommand template without proper sanitization in pgAdmin 4's Import/Export query export functionality. An authenticated attacker can inject payloads such as ") TO PROGRAM 'cmd'" to execute arbitrary commands or ") TO '/path'" to write files arbitrarily on the server hosting pgAdmin. Additional parameters like format, on_error, and log_verbosity are also vulnerable due to raw interpolation. The vendor's fix adds a parentheses-balance parser modeled on psql's tokenizer, implements allow-lists for certain parameters, rejects null bytes, and tightens type and gating checks. This issue affects pgAdmin 4 versions before 9.15.

Successful exploitation allows an authenticated user to execute arbitrary OS commands or write arbitrary files on the pgAdmin server, leading to full compromise of confidentiality, integrity, and availability of the affected system. The CVSS 3.1 base score is 8.8, indicating high severity with network attack vector, low attack complexity, and no user interaction required beyond authentication.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The description notes that a fix is implemented in version 9.15 and later, which includes improved input parsing and validation. Until official confirmation is available, users should upgrade to pgAdmin 4 version 9.15 or later once released. In the meantime, restrict access to authenticated users and monitor for suspicious activity related to Import/Export query exports.