Description
Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server (ErrorResponse messages, including object names quoted back inside relation-does-not-exist errors and inside EXPLAIN Recheck Cond / Exact Heap Blocks fields) was passed verbatim through html-react-parser at every user-facing sink — the notifier toasts, FormFooterMessage / FormInput help and error areas, FormNote, ModalProvider AlertContent and confirmDelete, ToolErrorView, the Explain visualiser's NodeText panel, the SQL editor confirm dialogs, ConfirmSaveContent, PreferencesHelper modal alerts, and SelectThemes helper text. A PostgreSQL server an attacker controls — or any server returning attacker-influenced text such as a table or column name a low-privilege database user can create — could inject arbitrary HTML (including <iframe>) into the pgAdmin DOM the moment the victim's pgAdmin connected to that server or viewed an Explain plan that referenced the crafted object.

The injected iframe's srcdoc could fetch attacker-served JavaScript and, by writing to parent.location, redirect the victim's top-level pgAdmin browser tab to an attacker-controlled URL. Because the injection originates from inside pgAdmin's own interface, standard anti-clickjacking controls (X-Frame-Options, Content-Security-Policy: frame-ancestors) do not mitigate it. A phishing page rendered inside the legitimate pgAdmin window is indistinguishable from a genuine pgAdmin dialog.

Fix combines three complementary layers. (1) DOMPurify sanitisation is wrapped around every html-react-parser call site reachable from notifier, alert, form-error, Explain, and SQL-editor flows. (2) A new plain-text rendering contract — SafeMessage / SafeHtmlMessage components plus Notifier.errorText / alertText / warningText / infoText / successText helpers — is introduced; around fifty callers across browser, tools, dashboard, debugger, misc, llm, preferences, schema diff, and the SQL editor that previously interpolated backend-derived strings are migrated to the plain-text variants. (3) Backend HTML-escape is applied at the post-connection-SQL handler (execute_post_connection_sql) via a new sanitize_external_text helper, so third-party JSON consumers (audit logs, API clients) never receive raw markup either; the Explain plan-info renderer is also patched to _.escape Recheck Cond and Exact Heap Blocks at construction (matching every sibling field), giving defence in depth even before DOMPurify runs.

This issue affects pgAdmin 4: from 6.0 before 9.16.
Published: 2026-06-18
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Stored cross‑site scripting exists in the error‑rendering and plan‑node rendering paths of pgAdmin 4. Arbitrary text returned by a PostgreSQL server—such as error messages, object names, or EXPLAIN output— is passed unchecked through the html‑react‑parser library to many front‑end sinks (toasts, form helpers, editor dialogs, and the explain visualiser). An attacker who controls the PostgreSQL server or can influence the names of database objects can inject malicious HTML, including iframes, that runs in the context of the pgAdmin page. The injected iframe can load attacker‑served JavaScript and redirect the user to a phishing or malicious URL. Because the content originates from pgAdmin itself, standard click‑jacking controls such as X‑Frame‑Options and CSP frame‑ancestors do not provide protection.

Affected Systems

The vulnerability affects all pgAdmin 4 installations from version 6.0 up to, but excluding, version 9.16. The attack can be carried out against any instance that connects to a PostgreSQL server an attacker can manipulate, or to a server that permits low‑privilege users to create objects with harmful names.

Risk and Exploitability

The CVSS score of 9.3 marks the issue as critical, and while an EPSS score is not published, the lack of a KEV listing indicates it has not yet been widely abused. Exploitation requires a user with a browser session against a compromised or maliciously configured PostgreSQL instance; the vulnerability is indirect, leveraging the server’s ability to inject custom text. Because the flaw occurs at rendering time within pgAdmin itself, web‑application firewalls that block XSS payloads only in untrusted content may still allow the injection if the payload is injected via server messages.

Generated by OpenCVE AI on June 19, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pgAdmin 4 to version 9.16 or newer, which applies comprehensive DOMPurify sanitization, a safe‑rendering contract, and backend HTML‑escaping for all user‑supplied text.
  • If an upgrade cannot be performed immediately, restrict access to PostgreSQL servers that an attacker could control and limit the creation of custom database object names that could contain malicious markup. Ensure that low‑privilege users cannot produce object names that might be reflected back in error messages or EXPLAIN output.
  • Deploy a web‑application firewall or apply a strong content‑security‑policy that blocks the injection of <iframe> tags or other malicious elements in responses that reach the client, thereby reducing the likelihood that the attacker’s code is executed.

Generated by OpenCVE AI on June 19, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server (ErrorResponse messages, including object names quoted back inside relation-does-not-exist errors and inside EXPLAIN Recheck Cond / Exact Heap Blocks fields) was passed verbatim through html-react-parser at every user-facing sink — the notifier toasts, FormFooterMessage / FormInput help and error areas, FormNote, ModalProvider AlertContent and confirmDelete, ToolErrorView, the Explain visualiser's NodeText panel, the SQL editor confirm dialogs, ConfirmSaveContent, PreferencesHelper modal alerts, and SelectThemes helper text. A PostgreSQL server an attacker controls — or any server returning attacker-influenced text such as a table or column name a low-privilege database user can create — could inject arbitrary HTML (including <iframe>) into the pgAdmin DOM the moment the victim's pgAdmin connected to that server or viewed an Explain plan that referenced the crafted object. The injected iframe's srcdoc could fetch attacker-served JavaScript and, by writing to parent.location, redirect the victim's top-level pgAdmin browser tab to an attacker-controlled URL. Because the injection originates from inside pgAdmin's own interface, standard anti-clickjacking controls (X-Frame-Options, Content-Security-Policy: frame-ancestors) do not mitigate it. A phishing page rendered inside the legitimate pgAdmin window is indistinguishable from a genuine pgAdmin dialog. Fix combines three complementary layers. (1) DOMPurify sanitisation is wrapped around every html-react-parser call site reachable from notifier, alert, form-error, Explain, and SQL-editor flows. (2) A new plain-text rendering contract — SafeMessage / SafeHtmlMessage components plus Notifier.errorText / alertText / warningText / infoText / successText helpers — is introduced; around fifty callers across browser, tools, dashboard, debugger, misc, llm, preferences, schema diff, and the SQL editor that previously interpolated backend-derived strings are migrated to the plain-text variants. (3) Backend HTML-escape is applied at the post-connection-SQL handler (execute_post_connection_sql) via a new sanitize_external_text helper, so third-party JSON consumers (audit logs, API clients) never receive raw markup either; the Explain plan-info renderer is also patched to _.escape Recheck Cond and Exact Heap Blocks at construction (matching every sibling field), giving defence in depth even before DOMPurify runs. This issue affects pgAdmin 4: from 6.0 before 9.16.
Title pgAdmin 4: Stored XSS via untrusted error and plan-node text rendered through html-react-parser
Weaknesses CWE-116
CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-06-18T23:37:41.541Z

Reserved: 2026-06-11T20:40:08.398Z

Link: CVE-2026-12048

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T01:30:16Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')