CVE-2026-12044

Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions 1.0 through 9.15

Description SQL injection is possible across multiple dialog templates that render descriptions for Domains, Foreign Tables, Languages, and Event Triggers, as well as the Views OID-lookup query. The issue occurs because user-supplied description fields are interpolated directly into single-quoted SQL literals instead of using the qtLiteral escape filter. An authenticated user with permissions to create or alter these objects can submit a description containing an apostrophe to execute arbitrary SQL. If the connected role has COPY ... TO/FROM PROGRAM permissions (typically a superuser), this can lead to OS command execution on the PostgreSQL host. Additionally, the pgstattuple and pgstatindex stats templates are affected because qtIdent does not escape apostrophes, allowing a user with CREATE privilege on a schema to trigger an unbalanced literal by naming a table or index with an apostrophe.

Recommendations Update pgAdmin 4 to version 9.16 or later.