PT-2026-39626 · Pgadmin 4+1 · Pgadmin 4+1
Chung Kim
+1
·
Published
2026-05-01
·
Updated
2026-05-26
·
CVE-2026-7816
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
pgAdmin 4 versions prior to 9.15
Description
An OS command injection issue exists in the Import/Export query export feature. User-supplied input is interpolated directly into a psql
copy metacommand template without proper sanitization. An authenticated user can inject specific sequences, such as ") TO PROGRAM 'cmd'", to execute arbitrary commands on the pgAdmin server, or ") TO '/path'" to perform arbitrary file writes. Additionally, the format, on error, and log verbosity fields are raw-interpolated and exploitable.Recommendations
Update to version 9.15 or later.
Exploit
Fix
SQL injection
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Pgadmin
Pgadmin 4