CVE-2026-12048 – pgAdmin 4
“When an administration tool becomes the attack path, the database is no longer the only asset at risk.”
pgAdmin 4 has been updated to address four significant vulnerabilities, including three Critical severity issues and one High severity issue. CVE-2026-12045 has a CVSS score of 9.0, which is Critical severity. This vulnerability allows prompt injection against the AI Assistant to bypass read-only transaction protections and execute unauthorized SQL. In environments where the connected database role has elevated privileges, the issue can extend to remote code execution on the database server host. CVE-2026-12046 has a CVSS score of 9.0, which is Critical severity and affects unauthenticated access to state-changing endpoints that can contribute to remote code execution when combined with additional compromise conditions. CVE-2026-12048 has a CVSS score of 9.3, which is Critical severity and addresses stored cross-site scripting that could allow attackers to inject malicious content into the pgAdmin interface.
The update also addresses CVE-2026-12044, which has a CVSS score of 8.8, which is High severity. This vulnerability involves SQL injection in multiple administrative templates and dialogs. The patch introduces stronger validation, authentication enforcement, output sanitization, and query handling controls across the platform. No verified exploitation information was provided for these vulnerabilities.
Key Details
- Affected Product
- Pgadmin Pgadmin 4
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- Required
- CWE Classification
- CWE-79