PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12048 pgadmin.org CVE debrief

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-19T00:16:47.200Z and has not been modified since then. The NVD entry is currently Analyzed. This stored cross-site scripting vulnerability in pgAdmin 4's error-rendering and plan-node-rendering paths allows an attacker to inject arbitrary HTML, potentially leading to phishing attacks. The vulnerability exists because text returned by a PostgreSQL server is passed verbatim through html-react-parser. The fix involves DOMPurify sanitisation, a new plain-text rendering contract, and backend HTML-escape.

Vendor
pgadmin.org
Product
pgAdmin 4
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-19
Original CVE updated
2026-06-29
Advisory published
2026-06-19
Advisory updated
2026-06-29

Who should care

pgAdmin 4 users and administrators should be aware of this vulnerability, as it allows an attacker to inject arbitrary HTML into the pgAdmin DOM, potentially leading to phishing attacks. Affected operator roles include developers, database administrators, and security teams. Platform impact includes potential lateral movement within the network. Vulnerability-management teams should prioritize patching, and security teams should review system logs for potential exploitation attempts.

Technical summary

The vulnerability exists in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server is passed verbatim through html-react-parser, allowing an attacker to inject arbitrary HTML. This can lead to phishing attacks, as the injected iframe's srcdoc can fetch attacker-served JavaScript and redirect the victim's top-level pgAdmin browser tab to an attacker-controlled URL. The fix combines three complementary layers: DOMPurify sanitisation, plain-text rendering contract, and backend HTML-escape.

Defensive priority

High

Recommended defensive actions

  • Apply the patch by updating pgAdmin 4 to version 9.16 or later
  • Use DOMPurify sanitisation around every html-react-parser call site
  • Migrate to plain-text rendering contract using SafeMessage / SafeHtmlMessage components
  • Apply backend HTML-escape at the post-connection-SQL handler
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The vulnerability affects pgAdmin 4 from version 6.0 before 9.16. The fix combines three complementary layers: DOMPurify sanitisation, plain-text rendering contract, and backend HTML-escape. Evidence limits suggest that defenders verify the patch application and review system logs for potential exploitation attempts. Source grounding indicates that this issue was reported by an external researcher and verified by the pgAdmin team. Affected scope appears limited to pgAdmin 4 users with access to the PostgreSQL server.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-19T00:16:47.200Z and has not been modified since then.