216.73.217.64

CVE-2026-7815

· Published 11/05/2026 16:17 · Modified 11/05/2026 17:16

Labels: CVE-2026-7815 2026-05-11CVE-2026-7815CWE-89f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

Essential information

Published
11/05/2026 16:17
Modified
11/05/2026 17:16
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host. Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter. This issue affects pgAdmin 4: before 9.15.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
NVD
View on NVD

Affected products (CPE)

ProductCPE
pgadmin / pgadmin cpe:2.3:a:pgadmin:pgadmin:<9.15:*:*:*:*:*:*:*

References