QSearchQSearch

CVE-2026-7814

4.8 MEDIUM

Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules

Published: 2026-05-11 · Last updated: 2026-05-26

Severity and scoring

CVSS
4.8 MEDIUM
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE
CWE-79

Affected products

VendorProduct
pgadminpgadmin_4

Description

Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules. User-controlled PostgreSQL object names (database, schema, table, column, etc.) were assigned to DOM elements via innerHTML, allowing crafted object names containing HTML markup to execute attacker-supplied JavaScript in the browser of any pgAdmin user who navigated to or executed EXPLAIN over the malicious object. Fix replaces innerHTML with textContent. This issue affects pgAdmin 4: before 9.15.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-7820 Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4 (6.5 MEDIUM)
  • CVE-2026-7819 Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager (8.1 HIGH)
  • CVE-2026-7818 Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager (7.0 HIGH)
  • CVE-2026-7817 Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints (6.5 MEDIUM)
  • CVE-2026-7816 OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export (8.8 HIGH)

Same CWE

  • CVE-2026-12425 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access ...
  • CVE-2024-30476 PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager (5.4 MEDIUM)
  • CVE-2026-54198 Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions (7.1 HIGH)
  • CVE-2026-54191 Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions (7.1 HIGH)
  • CVE-2026-39437 Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions (7.1 HIGH)