CVE-2025-60797

Name of the Vulnerable Software and Affected Versions phpPgAdmin versions 7.13.0 and earlier

Description phpPgAdmin versions 7.13.0 and earlier contain a SQL injection issue in the dataexport.php file at line 118. The application directly executes user-supplied SQL queries from the $ REQUEST['query'] parameter without proper sanitization or parameterization using $data->conn->Execute($ REQUEST['query']). An authenticated attacker could exploit this to execute arbitrary SQL commands, potentially leading to database compromise, data theft, or privilege escalation. The vulnerable parameter is query.

Recommendations Versions prior to 7.13.0 should be updated.