PT-2026-39624 · Pgadmin 4+1 · Pgadmin 4+1

Fahar Abbas

·

Published

2026-04-21

·

Updated

2026-05-26

·

CVE-2026-7814

CVSS v2.0

5.5

Medium

VectorAV:N/AC:L/Au:S/C:P/I:P/A:N
Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions prior to 9.15
Description A stored cross-site scripting (XSS) issue exists in the Browser Tree and Explain Visualizer modules. User-controlled PostgreSQL object names, such as those for databases, schemas, tables, or columns, are assigned to DOM elements using innerHTML. This allows crafted object names containing HTML markup to execute attacker-supplied JavaScript in the browser of any user who navigates to or executes EXPLAIN over the malicious object.
Recommendations Update to version 9.15 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-09130
CVE-2026-7814
GHSA-6P2C-69CV-3FXQ

Affected Products

Pgadmin
Pgadmin 4