CVE-2026-7815 – pgAdmin 4: SQL injection in Maintenance tool option values leading to remote code execution

CVE ID :CVE-2026-7815

Published : May 11, 2026, 4:17 p.m. | 41 minutes ago

Description :SQL injection vulnerability in pgAdmin 4 Maintenance Tool.

Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql –command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY … TO PROGRAM to escalate to operating-system command execution on the database host.

Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter.

This issue affects pgAdmin 4: before 9.15.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-8318 – VectifyAI PageIndex PDF Table of Contents page_index.py toc_transformer infinite loop

CVE-2026-7790 – Unbounded chunk-size hex digits in cowlib cause quadratic CPU and memory DoS

CVE-2026-45224 – Crabbox < 0.9.0 Path Traversal via Islo Provider Workspace Resolution

CVE-2026-45223 – Crabbox < 0.9.0 Authentication Bypass via Admin Claim Injection