MEDIUM 6.8

GHSA-rm79-x4g6-hvg5

pgAdmin 4 has command injection vulnerability on Windows systems

Details

pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / pgadmin4

Introduced in: 0 Fixed in: 9.10

Fix pip install --upgrade 'pgadmin4>=9.10'

References

https://nvd.nist.gov/vuln/detail/CVE-2025-12763 [ADVISORY]
https://github.com/pgadmin-org/pgadmin4/issues/9323 [WEB]
https://github.com/pgadmin-org/pgadmin4/commit/e374edc69239b3e02ecde895e27d9f9e488b87ee [WEB]
https://github.com/pgadmin-org/pgadmin4 [PACKAGE]