QSearchQSearch

CVE-2026-7815

8.8 HIGH

SQL injection vulnerability in pgAdmin 4 Maintenance Tool

Published: 2026-05-11 · Last updated: 2026-05-26

Severity and scoring

CVSS
8.8 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-89

Affected products

VendorProduct
pgadminpgadmin_4

Description

SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host. Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter. This issue affects pgAdmin 4: before 9.15.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-7820 Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4 (6.5 MEDIUM)
  • CVE-2026-7819 Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager (8.1 HIGH)
  • CVE-2026-7818 Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager (7.0 HIGH)
  • CVE-2026-7817 Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints (6.5 MEDIUM)
  • CVE-2026-7816 OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export (8.8 HIGH)

Same CWE

  • CVE-2026-48613 SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migratio... (5.9 MEDIUM)
  • CVE-2026-45418 ClipBucket v5 is an open source video sharing platform (8.8 HIGH)
  • CVE-2026-45060 ClipBucket v5 is an open source video sharing platform (9.8 CRITICAL)
  • CVE-2026-42647 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL ... (9.3 CRITICAL)
  • CVE-2026-39494 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW Plugins Product Filter by WBW a... (9.3 CRITICAL)