PatchSiren cyber security CVE debrief
CVE-2026-7814 pgadmin.org CVE debrief
A stored cross-site scripting (XSS) vulnerability in pgAdmin 4 allows attacker-controlled JavaScript execution via malicious PostgreSQL object names. The vulnerability exists in the Browser Tree and Explain Visualizer modules, where user-controlled object names (database, schema, table, column, etc.) were assigned to DOM elements using innerHTML. Crafted object names containing HTML markup can execute JavaScript in the browser of any pgAdmin user who navigates to or executes EXPLAIN over the malicious object. The fix replaces innerHTML with textContent to properly neutralize HTML content. Affected versions are pgAdmin 4 before 9.15. The CVSS 4.0 score of 4.8 (MEDIUM) reflects the high privileges required to create database objects and the user interaction needed for exploitation.
- Vendor
- pgadmin.org
- Product
- pgAdmin 4
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-11
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-11
- Advisory updated
- 2026-05-26
Who should care
Database administrators managing pgAdmin 4 deployments, security teams overseeing PostgreSQL infrastructure, and organizations with multi-user database environments where privilege separation between object creators and object viewers is practiced. The vulnerability is particularly relevant for environments where lower-privileged users can create objects that higher-privileged users may subsequently access or analyze with EXPLAIN.
Technical summary
The vulnerability stems from improper use of innerHTML to assign user-controlled PostgreSQL object names to DOM elements in pgAdmin 4's Browser Tree and Explain Visualizer components. When a database object is created with a name containing HTML markup and JavaScript, such as `<img src=x onerror=alert(1)>`, the innerHTML assignment causes the browser to parse and execute the embedded script. This is a classic stored XSS pattern where the payload persists in the database and executes whenever any pgAdmin user interacts with the malicious object. The remediation follows secure coding practices by switching to textContent, which treats the input as literal text rather than HTML, thereby preventing script execution while preserving the display of object names.
Defensive priority
medium
Recommended defensive actions
- Upgrade pgAdmin 4 to version 9.15 or later to remediate the stored XSS vulnerability
- Audit PostgreSQL databases for suspicious object names containing HTML or JavaScript content, particularly in shared or multi-user environments
- Review access controls to limit which users can create or rename database objects, as exploitation requires privileges to create maliciously named objects
- Monitor pgAdmin access logs for unusual navigation patterns to the Browser Tree or Explain Visualizer modules
- If immediate patching is not possible, implement web application firewall rules to detect and block common XSS payloads in object name fields
- Educate database administrators about the risk of executing EXPLAIN on untrusted database objects
Evidence notes
Vulnerability confirmed via NVD with Analyzed status. CPE criteria specify affected versions from 6.9 up to but not including 9.15. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as the weakness. Fix implemented in GitHub pull request replacing innerHTML with textContent.
Official resources
-
CVE-2026-7814 CVE record
CVE.org
-
CVE-2026-7814 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 - Exploit, Issue Tracking, Patch, Vendor Advisory
-
Mitigation or vendor reference
134c704f-9b21-4f2e-91b3-4a467353bcc0 - Exploit, Issue Tracking, Patch, Vendor Advisory
2026-05-11