CVE-2026-7815

Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions prior to 9.15

Description An SQL injection exists in the Maintenance Tool where four user-supplied JSON fields—buffer usage limit, vacuum parallel, vacuum index cleanup, and reindex tablespace—are concatenated directly into the rendered VACUUM, ANALYZE, or REINDEX command and passed to psql --command. An authenticated user with the tools maintenance permission can break out of the option syntax to execute arbitrary SQL on the connected PostgreSQL server. This can further lead to operating-system command execution on the database host by invoking the COPY ... TO PROGRAM command.

Recommendations Update to version 9.15 or later.