CVE-2026-7818

Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions prior to 9.15

Description The FileBackedSessionManager in pgAdmin 4 performs unsafe deserialization of session-file contents using Python's standard object-serialization module before conducting an HMAC integrity check. This allows any file placed in the sessions directory to be deserialized unconditionally. An authenticated user with write access to the sessions directory, potentially through misconfiguration or a path-traversal flaw, could use a crafted serialized payload to achieve remote code execution at the operating-system level under the pgAdmin process identity.

Recommendations Update to version 9.15 or later.