CVE-2025-12762

Remote Code Execution vulnerability when restoring PLAIN-format SQL dumps in server mode (pgAdmin 4)

CVSS 9.1 CRITICALEPSS 12.0%CWE-94

pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Affected products

pgadmin.org · pgAdmin 4

public PoCs found — 1

githubgithub.com/djayaGit/Blackash-CVE-2025-12762★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/pgadmin-org/pgadmin4/issues/9320