https://www.pgadmin.org/docs/pgadmin4/9.2/release_notes_9_2.html
announces the release of version 9.2 of pgAdmin 4, and lists these 2
security fixes as being included:
Issue #8602 - Fixed an XSS vulnerability issue in the Query Tool and View/Edit
Data (CVE-2025-2946).
Issue #8603 - Fixed a remote code execution issue in the Query Tool and Cloud
Deployment (CVE-2025-2945).
https://github.com/pgadmin-org/pgadmin4/issues/8602 says:
When a user runs a query that retrieves data containing malicious JavaScript
payloads, PgAdmin renders the result without proper sanitization.
This leads to the immediate execution of embedded scripts within the browser.
Steps to Reproduce:
1. Open PgAdmin and connect to any database instance.
2. Navigate to the Query Tool.
3. Run the following SQL commands:
CREATE TABLE IF NOT EXISTS EXAMPLE (TEXT_SAMPLE VARCHAR(255));
-- TRUNCATE TABLE EXAMPLE;
INSERT INTO EXAMPLE (TEXT_SAMPLE) VALUES
('<img src=a onerror=alert(Payload_here)>');
SELECT * FROM EXAMPLE;
4. After executing the SELECT statement, an alert box is triggered as the
JavaScript executes directly in the query result grid.
Expected Behavior:
Query results should display the data as plain text. Any potentially harmful
HTML or JavaScript content should be sanitised or escaped before rendering,
preventing script execution in the browser.
https://github.com/pgadmin-org/pgadmin4/issues/8603 says:
Query Tool REC vulnerability POC:
https://github.com/pyozzi-toss/poc/raw/refs/heads/main/pgAdmin_poc.mp4
Cloud Deployment with Google Provider vulnerability POC:
https://www.youtube.com/watch?v=V2WzCmRct7s&ab_channel=SYP
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
