These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
pgAdmin 4 versions prior to 9.15 contain an authentication bypass vulnerability in the account lockout mechanism. The application enforces MAX_LOGIN_ATTEMPTS only within its custom /authenticate/login view, while Flask-Security's default /login view—automatically registered and reachable on every server—fails to consult the User.locked field. This occurs because pgAdmin's User model relied on Flask-Securi [truncated]
A symbolic-link path traversal vulnerability in pgAdmin 4's File Manager allows authenticated users to write files to arbitrary locations on the server filesystem. The root cause is a mismatch between access validation and file operations: `check_access_permission` uses `os.path.abspath`, which normalizes parent-directory references but does not resolve symbolic links, while the subsequent kernel write fo [truncated]
pgAdmin 4 versions before 9.15 contain a deserialization vulnerability in the FileBackedSessionManager component. The session manager performed unsafe deserialization of session file contents using Python's standard pickle module before verifying HMAC integrity. This allowed any file placed in the sessions directory to be deserialized unconditionally. An authenticated user with write access to the session [truncated]
CVE-2026-7817 documents Local File Inclusion (LFI) and Server-Side Request Forgery (SSRF) vulnerabilities in pgAdmin 4's LLM API configuration endpoints. The issue stems from insufficient validation of user-supplied `api_key_file` and `api_url` preferences, which were passed directly to LLM provider clients without sanitization. An authenticated attacker could exploit this to read arbitrary files readable [truncated]
CVE-2026-7816 is a high-severity OS command injection vulnerability (CWE-78) in pgAdmin 4's Import/Export query export functionality, published 2026-05-11 and last modified 2026-05-26. The vulnerability exists because user-supplied input was interpolated directly into a psql `COPY` metacommand template without proper sanitization. An authenticated attacker could inject `) TO PROGRAM 'cmd'` to break out of [truncated]
A SQL injection vulnerability in pgAdmin 4's Maintenance Tool allows authenticated users with tools_maintenance permission to execute arbitrary SQL on connected PostgreSQL servers. Four JSON parameters (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into VACUUM/ANALYZE/REINDEX commands without proper sanitization. Attackers can break out of option [truncated]
A stored cross-site scripting (XSS) vulnerability in pgAdmin 4 allows attacker-controlled JavaScript execution via malicious PostgreSQL object names. The vulnerability exists in the Browser Tree and Explain Visualizer modules, where user-controlled object names (database, schema, table, column, etc.) were assigned to DOM elements using innerHTML. Crafted object names containing HTML markup can execute Jav [truncated]
pgAdmin 4 server mode contains multiple authorization flaws allowing authenticated users to access and modify other users' private resources. Affected modules include Server Groups, Servers, Shared Servers, Background Processes, and Debugger. The core issue is missing user-scoped filtering on object retrieval endpoints, enabling ID-guessing attacks to access private servers, server groups, background proc [truncated]
