2414820 – (CVE-2025-12762) CVE-2025-12762 pgadmin4: Remote Code Execution vulnerability when restoring PLAIN-format SQL dumps in server mode (pgAdmin 4)

Bug 2414820 (CVE-2025-12762) - CVE-2025-12762 pgadmin4: Remote Code Execution vulnerability when restoring PLAIN-format SQL dumps in server mode (pgAdmin 4)

Summary: CVE-2025-12762 pgadmin4: Remote Code Execution vulnerability when restoring P...

Keywords:
Status:	NEW
Alias:	CVE-2025-12762
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2415410 2415411 2415412
Blocks:
TreeView+	depends on / blocked

Reported:	2025-11-13 14:01 UTC by OSIDB Bzimport
Modified:	2025-11-17 16:48 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-11-13 14:01:20 UTC

pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.

Note You need to log in before you can comment on or make changes to this bug.