{"uuid": "8cdd16ce-588c-4c14-94dc-9e607f48b9c7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "Remote Code Execution and Cross-Site Scripting in pgAdmin 4 Can Be Exploited to Execute Arbitrary Commands and Exfiltrate Database Credentials. Patch Immediately! | CCB Belgium", "description": "# WARNING: Remote Code Execution and Cross-Site Scripting in pgAdmin 4 Can Be Exploited to Execute Arbitrary Commands and Exfiltrate Database Credentials. Patch Immediately! | CCB Belgium\n\nReference: https://ccb.belgium.be/advisories/warning-remote-code-execution-and-cross-site-scripting-pgadmin-4-can-be-exploited\n\nPublished : 22/06/2026\n\n> *   **Last update**: 22/06/2026\n> *   **Affected software:** pgAdmin 4 prior to version 9.16\n> *   **Type**:  \n>     \u2192 **CWE-306**: Missing Authentication for Critical Function / CWE-502: Deserialization of Untrusted Data  \n>     \u2192 **CWE-285**: Improper Authorization  \n>     \u2192 **CWE-79**: Improper Neutralization of Input During Web Page Generation ('Cross-Site Scripting')\n> *   **CVE/CVSS**  \n>     \u2192 CVE-2026-12048: CVSS 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)  \n>     \u2192 CVE-2026-12046: CVSS 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)  \n>     \u2192 CVE-2026-12045: CVSS 9.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)\n\nSources\n-------\n\npgAdmin - [https://www.pgadmin.org/docs/pgadmin4/9.16/release\\_notes\\_9\\_16.html](https://www.pgadmin.org/docs/pgadmin4/9.16/release_notes_9_16.html)\n\nRisks\n-----\n\npgAdmin 4 is the leading open-source graphical administration and management tool for PostgreSQL databases, widely used by database administrators in both server and desktop deployments.\n\nIf exploited, these vulnerabilities could allow attackers to execute arbitrary commands on the underlying server, gain unauthorized access to the database management interface without valid credentials, or inject malicious scripts that steal saved database credentials and issue SQL queries against every connected server. Successful exploitation may result in unauthorized access to sensitive database information (Confidentiality), unauthorized modification or deletion of database content (Integrity), or disruption of database management services (Availability).\n\nDescription\n-----------\n\n**CVE-2026-12048** is a stored cross-site scripting vulnerability where PostgreSQL server error text and Explain plan-node content were passed unsanitized through html-react-parser across multiple UI components, including notifier toasts, form errors, modal alerts, and the Explain visualiser. Because pgAdmin's default Content-Security-Policy allows inline scripts, injected JavaScript runs same-origin to the victim's authenticated session and can read every saved server connection credential and issue arbitrary SQL against every server the victim is connected to.\n\n**CVE-2026-12046** affects two SQL Editor endpoints (close and update\\_connection) that were missing the authentication decorator (@pga\\_login\\_required) in server mode. This made the endpoints reachable by unauthenticated attackers and exposed a pickle deserialization sink, enabling remote code execution without prior authentication.\n\n**CVE-2026-12045** affects the AI Assistant feature. A read-only transaction bypass allowed prompt-injected multi-statement payloads to commit write operations outside the READ ONLY transaction wrapper. On superuser database connections, this flaw chains to remote code execution via the \u201cCOPY ... TO PROGRAM\u201d PostgreSQL command.\n\nRecommended Actions\n-------------------\n\n**Patch**  \nThe Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.\n\n**Monitor/Detect**  \nThe CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.\n\nIn case of an intrusion, you can report an incident via [https://ccb.belgium.be/en/cert/report-incident](https://ccb.belgium.be/en/cert/report-incident).\n\nWhile patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.\n\nReferences\n----------\n\nNVD - [https://nvd.nist.gov/vuln/detail/CVE-2026-12048](https://nvd.nist.gov/vuln/detail/CVE-2026-12048)  \nNVD - [https://nvd.nist.gov/vuln/detail/CVE-2026-12045](https://nvd.nist.gov/vuln/detail/CVE-2026-12045)  \nNVD - [https://nvd.nist.gov/vuln/detail/CVE-2026-12046](https://nvd.nist.gov/vuln/detail/CVE-2026-12046)", "creation_timestamp": "2026-06-23T10:07:30.838375+00:00", "timestamp": "2026-06-23T10:07:30.838375+00:00", "related_vulnerabilities": ["CVE-2026-12046", "CVE-2026-12045", "CVE-2026-12048"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}