Every CVE whose affected-product data names Pgadmin Pgadmin 4, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (35)
CVE-2024-9014 — CVSS 9.9 (critical): pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to…
CVE-2026-7813 — CVSS 9.9 (critical): Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger…
CVE-2024-2044 — CVSS 9.9 (critical): pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the…
CVE-2025-2945 — CVSS 9.9 (critical): Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules). The vulnerability is associated with…
CVE-2026-12048 — CVSS 9.3 (critical): Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server…
CVE-2025-13780 — CVSS 9.1 (critical): pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and…
CVE-2025-12762 — CVSS 9.1 (critical): pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and…
CVE-2025-2946 — CVSS 9.1 (critical): pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute any arbitrary HTML/JavaScript…
CVE-2026-12046 — CVSS 9.0 (critical): Two state-mutating endpoints in pgAdmin 4's SQL Editor blueprint -- DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqledi…
CVE-2026-12045 — CVSS 9.0 (critical): Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads…
CVE-2026-7815 — CVSS 8.8 (high): SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel…
CVE-2022-4223 — CVSS 8.8 (high): The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external PostgreSQL utilities…
CVE-2026-12044 — CVSS 8.8 (high): SQL injection in pgAdmin 4 across every dialog template that renders ``COMMENT ON ... IS '<description>'`` for a user-supplied description…
CVE-2026-7816 — CVSS 8.8 (high): OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export. User-supplied input was interpolated directly into a…
CVE-2026-7819 — CVSS 8.1 (high): Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager. check_access_permission used os.path.abspath, which resolves '..'…
CVE-2025-9636 — CVSS 7.9 (high): pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. This vulnerability allows an attacker to manipulate the…
CVE-2025-12764 — CVSS 7.5 (high): pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special…
CVE-2025-12765 — CVSS 7.5 (high): pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification.
CVE-2024-4215 — CVSS 7.4 (high): pgAdmin <= 8.5 is affected by a multi-factor authentication bypass vulnerability. This vulnerability allows an attacker with knowledge of a…
CVE-2024-6238 — CVSS 7.4 (high): pgAdmin <= 8.8 has an installation Directory permission issue. Because of this issue, attackers can gain unauthorised access to the…
CVE-2024-3116 — CVSS 7.4 (high): pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows…
CVE-2024-4216 — CVSS 7.4 (high): pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to…
CVE-2026-1707 — CVSS 7.4 (high): pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode…
CVE-2026-7818 — CVSS 7.0 (high): Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager. The session manager performed unsafe deserialization of…
CVE-2025-12763 — CVSS 6.8 (medium): pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of…
CVE-2026-7820 — CVSS 6.5 (medium): Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4. pgAdmin enforces MAX_LOGIN_ATTEMPTS only inside its…
CVE-2023-0241 — CVSS 6.5 (medium): pgAdmin 4 versions prior to v6.19 contains a directory traversal vulnerability. A user of the product may change another user's settings or…
CVE-2026-7817 — CVSS 6.5 (medium): Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints…
CVE-2022-0959 — CVSS 6.5 (medium): A malicious, but authorised and authenticated user can construct an HTTP request using their existing CSRF token and session cookie to…
CVE-2023-22298 — CVSS 6.1 (medium): Open redirect vulnerability in pgAdmin 4 versions prior to v6.14 allows a remote unauthenticated attacker to redirect a user to an…
CVE-2023-5002 — CVSS 6.0 (medium): A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL…
CVE-2026-7814 — CVSS 4.8 (medium): Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules. User-controlled PostgreSQL object…
CVE-2026-12049 — CVSS 4.3 (medium): Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next'…
CVE-2026-12050 — CVSS 4.3 (medium): SQL injection in pgAdmin 4's named restore point endpoint (POST /browser/server/restore_point/{gid}/{sid}). The user-supplied 'value' field…
CVE-2026-12047 — CVSS 3.5 (low): HTML injection in pgAdmin 4's cloud deployment module. The verify_credentials, deploy, regions, and update-server endpoints under /rds/…