Pgadmin 4 · Pgadmin 4 · CVE-2026-7814
**Name of the Vulnerable Software and Affected Versions**
pgAdmin 4 versions prior to 9.15
**Description**
A stored cross-site scripting (XSS) issue exists in the Browser Tree and Explain Visualizer modules. User-controlled PostgreSQL object names, such as those for databases, schemas, tables, or columns, are assigned to DOM elements using `innerHTML`. This allows crafted object names containing HTML markup to execute attacker-supplied JavaScript in the browser of any user who navigates to or executes EXPLAIN over the malicious object.
**Recommendations**
Update to version 9.15 or later.