Pgadmin 4 · Pgadmin 4 · CVE-2026-7816
**Name of the Vulnerable Software and Affected Versions**
pgAdmin 4 versions prior to 9.15
**Description**
An OS command injection issue exists in the Import/Export query export feature. User-supplied input is interpolated directly into a psql `copy` metacommand template without proper sanitization. An authenticated user can inject specific sequences, such as ") TO PROGRAM 'cmd'", to execute arbitrary commands on the pgAdmin server, or ") TO '/path'" to perform arbitrary file writes. Additionally, the `format`, `on error`, and `log verbosity` fields are raw-interpolated and exploitable.
**Recommendations**
Update to version 9.15 or later.