Description
Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules.

User-controlled PostgreSQL object names (database, schema, table, column, etc.) were assigned to DOM elements via innerHTML, allowing crafted object names containing HTML markup to execute attacker-supplied JavaScript in the browser of any pgAdmin user who navigated to or executed EXPLAIN over the malicious object.

Fix replaces innerHTML with textContent.

This issue affects pgAdmin 4: before 9.15.
Published: 2026-05-11
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows attacker‑supplied PostgreSQL object names to be embedded directly into web page HTML via innerHTML. When a user opens the Browser Tree or executes an EXPLAIN on a malicious object, the browser runs the injected JavaScript, enabling session hijacking, cookie theft, or defacement. The weakness is a classic stored XSS (CWE‑79), affecting confidentiality, integrity, and user trust.

Affected Systems

vulnerable builds of pgAdmin 4 earlier than version 9.15 distributed by pgadmin.org, applicable to any installation using the Browser Tree or Explain Visualizer features.

Risk and Exploitability

With a CVSS score of 4.8 the issue is moderate; no EPSS data is available and the vulnerability is not listed in CISA KEV. Exploitation requires the attacker to create a malicious object name in a database that the target user has access to, and the target must open or examine that object within pgAdmin. The attack vector is user interaction with the application, not remote code execution.

Generated by OpenCVE AI on May 11, 2026 at 17:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pgAdmin 4 to version 9.15 or later to apply the fix that replaces innerHTML with textContent.
  • If upgrading immediately is not possible, disallow or sanitize object names containing HTML markup before they are rendered, or configure the application to use textContent in all DOM assignments.
  • Restrict database users from creating or naming objects with potentially harmful characters, and monitor logs for unusual object names that could trigger XSS.

Generated by OpenCVE AI on May 11, 2026 at 17:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Pgadmin
Pgadmin pgadmin 4
Vendors & Products Pgadmin
Pgadmin pgadmin 4

Mon, 11 May 2026 18:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules. User-controlled PostgreSQL object names (database, schema, table, column, etc.) were assigned to DOM elements via innerHTML, allowing crafted object names containing HTML markup to execute attacker-supplied JavaScript in the browser of any pgAdmin user who navigated to or executed EXPLAIN over the malicious object. Fix replaces innerHTML with textContent. This issue affects pgAdmin 4: before 9.15.
Title pgAdmin 4: Stored XSS via crafted PostgreSQL object names in Browser Tree and Explain Visualizer
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Pgadmin Pgadmin 4
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-05-11T17:31:37.625Z

Reserved: 2026-05-04T21:26:56.561Z

Link: CVE-2026-7814

cve-icon Vulnrichment

Updated: 2026-05-11T17:31:06.639Z

cve-icon NVD

Status : Received

Published: 2026-05-11T16:17:37.620

Modified: 2026-05-11T18:16:42.950

Link: CVE-2026-7814

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:00:06Z

Weaknesses