CVE-2026-7815

HIGH(8.8)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Risk Signal Score22/100 — NIEDRIG

CVSS 8.8 — Hoch

EPSS-Score

Exploit-Wahrscheinlichkeit (30 Tage)

CVSS Score

8.8

Technische Schwere

Beschreibung

SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host. Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter. This issue affects pgAdmin 4: before 9.15.

GitHub Advisories

GHSA-hp84-p2gq-6fvrHIGH

SQL injection vulnerability in pgAdmin 4 Maintenance Tool

pip/pgadmin4→ 9.15

GitHub Advisory

Referenzen

https://github.com/pgadmin-org/pgadmin4/issues/9898