PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12047 pgadmin.org CVE debrief

An HTML injection vulnerability was discovered in pgAdmin 4's cloud deployment module. The issue arises from the lack of HTML encoding in exception text from AWS, Azure, and Google SDKs, which is then rendered as HTML by the Cloud Wizard frontend. This allows an authenticated user to inject HTML, potentially leading to self-targeted attacks or, with additional cross-site request-forgery primitives, attacks against other authenticated users. The vulnerability exists in multiple endpoints under /rds/, /azure/, /google/, and the top-level /cloud/ blueprint.

Vendor
pgadmin.org
Product
pgAdmin 4
CVSS
MEDIUM 4.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-19
Original CVE updated
2026-06-29
Advisory published
2026-06-19
Advisory updated
2026-06-29

Who should care

pgAdmin 4 users, particularly those using versions between 6.6 and 9.16, should be aware of this vulnerability and take steps to mitigate it. The vulnerability has a CVSS score of 4.8 and is classified as MEDIUM severity. Affected operators, platforms, and security teams should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.

Technical summary

The vulnerability exists in multiple endpoints under /rds/, /azure/, /google/, and the top-level /cloud/ blueprint. Specifically, the verify_credentials, deploy, regions, and update-server endpoints propagate exception text without HTML encoding. An attacker can exploit this by submitting a crafted access_key that contains an <iframe/src=...> payload, leading to potential cross-origin iframe exploitation and JavaScript execution.

Defensive priority

High

Recommended defensive actions

  • Upgrade to pgAdmin 4 version 9.16 or later
  • Implement additional security measures such as Content Security Policy (CSP) and Cross-Origin Resource Sharing (CORS) headers
  • Monitor for suspicious activity and implement logging and auditing mechanisms
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-06-19T00:16:47.040Z and last modified on 2026-06-29T15:18:08.910Z. The NVD entry is currently Analyzed. This issue was reported by an external researcher and is based on limited source detail. Additional verification tasks are recommended to confirm affected scope and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-19T00:16:47.040Z and has not been modified since then. The NVD entry is currently Analyzed.