Threat Intelligence Database

CVE-2026-12050 is a medium severity SQL injection vulnerability in pgAdmin 4 affecting versions from 1.0 up to but not including 9.16. The issue occurs in the named restore point endpoint where user input is improperly handled, allowing an authenticated user with a connected PostgreSQL session to inject SQL commands. The injected SQL executes with the privileges of the user's existing database role, so no privilege escalation occurs. The vulnerability is fixed by passing the restore point name as a bound parameter and schema-qualifying the function call to prevent redirection. No known exploits are reported in the wild.

CVE-2026-12049 is an open redirect vulnerability in pgAdmin 4's multi-factor authentication (MFA) flow affecting versions 6.0 up to but not including 9.16. The MFA validate and register endpoints improperly trust the user-supplied 'next' parameter, allowing redirection to external attacker-controlled sites. This vulnerability does not grant direct access to pgAdmin or databases but can facilitate phishing attacks by redirecting authenticated users to malicious sites. A fix was introduced to restrict redirects to same-origin URLs or safe relative paths.

CVE-2026-12048 is a critical stored cross-site scripting (XSS) vulnerability in pgAdmin 4 affecting versions from 6.0 up to but not including 9.16. The vulnerability arises from improper neutralization of input during web page generation, where text returned by a PostgreSQL server is passed without sanitization into multiple user-facing components. This allows an attacker controlling a PostgreSQL server or influencing object names to inject arbitrary HTML, including iframes, into the pgAdmin interface. The injected content can execute attacker-controlled JavaScript and redirect the user's browser tab to malicious sites. Standard anti-clickjacking protections do not mitigate this issue due to the injection originating within pgAdmin's own DOM. The vendor has implemented a multi-layered fix involving DOMPurify sanitization, introduction of plain-text rendering components, and backend HTML escaping. No official patch release or advisory link is provided yet.

CVE-2026-12047 is a cross-site scripting (XSS) vulnerability in pgAdmin 4 affecting versions from 6.6 up to but not including 9.16. The issue arises from improper HTML encoding of exception messages from cloud SDKs (AWS, Azure, Google) that are included verbatim in JSON responses and rendered as HTML in the Cloud Wizard frontend. An authenticated user can inject malicious HTML/JavaScript via crafted credentials, leading to self-targeted XSS and potential escalation to other users if combined with a valid CSRF token. The vulnerability affects multiple endpoints related to cloud deployment and credential verification. A fix is available that properly HTML-escapes external exception strings and renders messages in plain text to prevent HTML parsing.

CVE-2026-12046 is a critical vulnerability in pgAdmin 4 affecting server mode versions from 6.9 up to but not including 9.16. Two endpoints in the SQL Editor blueprint lack authentication, allowing unauthenticated access to functions that deserialize session data using pickle. Exploitation requires prior knowledge of the server's Flask SECRET_KEY and write access to the session files, conditions not granted by this flaw alone. The vulnerability enables unauthenticated remote code execution if these preconditions are met. A fix involves adding an authentication decorator to the affected endpoints to prevent unauthenticated access. This issue does not affect desktop mode due to its re-authentication mechanism.

CVE-2026-12045 is a critical SQL injection vulnerability in pgAdmin 4 versions 9.13 up to but not including 9.16. It allows an attacker who can influence database content read by the AI Assistant's execute_sql_query tool to bypass the intended read-only transaction and execute arbitrary SQL commands with the privileges of the pgAdmin user's database role. This can lead to unauthorized data modification and, if the pgAdmin user has elevated privileges, remote code execution on the database server host. The vulnerability is caused by insufficient validation of LLM-generated SQL queries, allowing multi-statement payloads that terminate the read-only transaction. The fix involves validating that the query consists of exactly one allowed statement type before execution.

CVE-2026-12044 is a SQL injection vulnerability in pgAdmin 4 affecting multiple dialog templates that render user-supplied descriptions inside SQL COMMENT statements without proper escaping. Authenticated users with permission to create or alter certain database objects can inject SQL code via description fields. The vulnerability allows execution of arbitrary SQL commands with the privileges of the authenticated PostgreSQL role. The issue affects pgAdmin 4 versions from 1.0 up to but not including 9.16. A layered fix was developed involving template escaping improvements, driver hardening, and regression tests.