An SQL injection flaw in the Maintenance Tool of pgAdmin 4 allows an authenticated user who has the tools_maintenance permission to inject malicious SQL into the VACUUM/ANALYZE/REINDEX command. The injected statements can execute arbitrary PostgreSQL commands and, by using COPY … TO PROGRAM, can chain into operating‑system command execution on the database host, thereby compromising confidentiality, integrity and availability of the underlying system.

Legacy installations of pgAdmin 4 released before version 9.15 are affected. The flaw resides in the four user‑supplied JSON fields buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, and reindex_tablespace which are concatenated directly into the SQL command without validation.

The CVSS score of 8.7 indicates high severity. No EPSS score is published, but the vulnerability requires valid application credentials and a role with maintenance privileges, so the attack surface is limited to users with those permissions. No documented exploitation in the wild has been reported, although the issue was publicly disclosed. The likely attack vector is the pgAdmin web interface, where an authenticated user with maintenance privileges can trigger malicious commands directly, bypassing PostgreSQL client restrictions. The capability to run arbitrary OS commands via COPY TO PROGRAM exacerbates the impact, enabling full server compromise when the database host is not hardened.