PatchSiren cyber security CVE debrief
CVE-2026-12048 pgadmin.org CVE debrief
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-19T00:16:47.200Z and has not been modified since then. The NVD entry is currently Analyzed. This stored cross-site scripting vulnerability in pgAdmin 4's error-rendering and plan-node-rendering paths allows an attacker to inject arbitrary HTML, potentially leading to phishing attacks. The vulnerability exists because text returned by a PostgreSQL server is passed verbatim through html-react-parser. The fix involves DOMPurify sanitisation, a new plain-text rendering contract, and backend HTML-escape.
- Vendor
- pgadmin.org
- Product
- pgAdmin 4
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-19
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-06-19
- Advisory updated
- 2026-06-29
Who should care
pgAdmin 4 users and administrators should be aware of this vulnerability, as it allows an attacker to inject arbitrary HTML into the pgAdmin DOM, potentially leading to phishing attacks. Affected operator roles include developers, database administrators, and security teams. Platform impact includes potential lateral movement within the network. Vulnerability-management teams should prioritize patching, and security teams should review system logs for potential exploitation attempts.
Technical summary
The vulnerability exists in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server is passed verbatim through html-react-parser, allowing an attacker to inject arbitrary HTML. This can lead to phishing attacks, as the injected iframe's srcdoc can fetch attacker-served JavaScript and redirect the victim's top-level pgAdmin browser tab to an attacker-controlled URL. The fix combines three complementary layers: DOMPurify sanitisation, plain-text rendering contract, and backend HTML-escape.
Defensive priority
High
Recommended defensive actions
- Apply the patch by updating pgAdmin 4 to version 9.16 or later
- Use DOMPurify sanitisation around every html-react-parser call site
- Migrate to plain-text rendering contract using SafeMessage / SafeHtmlMessage components
- Apply backend HTML-escape at the post-connection-SQL handler
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The vulnerability affects pgAdmin 4 from version 6.0 before 9.16. The fix combines three complementary layers: DOMPurify sanitisation, plain-text rendering contract, and backend HTML-escape. Evidence limits suggest that defenders verify the patch application and review system logs for potential exploitation attempts. Source grounding indicates that this issue was reported by an external researcher and verified by the pgAdmin team. Affected scope appears limited to pgAdmin 4 users with access to the PostgreSQL server.
Official resources
-
CVE-2026-12048 CVE record
CVE.org
-
CVE-2026-12048 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 - Patch
-
Mitigation or vendor reference
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 - Issue Tracking, Patch
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-19T00:16:47.200Z and has not been modified since then.