PatchSiren cyber security CVE debrief
CVE-2026-12047 pgadmin.org CVE debrief
An HTML injection vulnerability was discovered in pgAdmin 4's cloud deployment module. The issue arises from the lack of HTML encoding in exception text from AWS, Azure, and Google SDKs, which is then rendered as HTML by the Cloud Wizard frontend. This allows an authenticated user to inject HTML, potentially leading to self-targeted attacks or, with additional cross-site request-forgery primitives, attacks against other authenticated users. The vulnerability exists in multiple endpoints under /rds/, /azure/, /google/, and the top-level /cloud/ blueprint.
- Vendor
- pgadmin.org
- Product
- pgAdmin 4
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-19
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-06-19
- Advisory updated
- 2026-06-29
Who should care
pgAdmin 4 users, particularly those using versions between 6.6 and 9.16, should be aware of this vulnerability and take steps to mitigate it. The vulnerability has a CVSS score of 4.8 and is classified as MEDIUM severity. Affected operators, platforms, and security teams should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
Technical summary
The vulnerability exists in multiple endpoints under /rds/, /azure/, /google/, and the top-level /cloud/ blueprint. Specifically, the verify_credentials, deploy, regions, and update-server endpoints propagate exception text without HTML encoding. An attacker can exploit this by submitting a crafted access_key that contains an <iframe/src=...> payload, leading to potential cross-origin iframe exploitation and JavaScript execution.
Defensive priority
High
Recommended defensive actions
- Upgrade to pgAdmin 4 version 9.16 or later
- Implement additional security measures such as Content Security Policy (CSP) and Cross-Origin Resource Sharing (CORS) headers
- Monitor for suspicious activity and implement logging and auditing mechanisms
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-06-19T00:16:47.040Z and last modified on 2026-06-29T15:18:08.910Z. The NVD entry is currently Analyzed. This issue was reported by an external researcher and is based on limited source detail. Additional verification tasks are recommended to confirm affected scope and vendor guidance.
Official resources
-
CVE-2026-12047 CVE record
CVE.org
-
CVE-2026-12047 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 - Patch
-
Mitigation or vendor reference
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 - Issue Tracking, Patch
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-19T00:16:47.040Z and has not been modified since then. The NVD entry is currently Analyzed.