{"id":78271,"date":"2026-05-11T19:47:38","date_gmt":"2026-05-11T16:17:38","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-7816-pgadmin-4-os-command-injection-in-import-export-query-export-via-psql-metacommand-breakout\/"},"modified":"2026-05-11T19:47:38","modified_gmt":"2026-05-11T16:17:38","slug":"cve-2026-7816-pgadmin-4-os-command-injection-in-import-export-query-export-via-psql-metacommand-breakout","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-7816-pgadmin-4-os-command-injection-in-import-export-query-export-via-psql-metacommand-breakout\/","title":{"rendered":"CVE-2026-7816 – pgAdmin 4: OS command injection in Import\/Export query export via psql metacommand breakout"},"content":{"rendered":"

CVE ID :CVE-2026-7816<\/p>\n

Published : May 11, 2026, 4:17 p.m. | 41\u00a0minutes ago<\/p>\n

Description :OS command injection (CWE-78) vulnerability in pgAdmin 4 Import\/Export query export.<\/p>\n

User-supplied input was interpolated directly into a psql copy metacommand template without sanitization. An authenticated user could inject “) TO PROGRAM ‘cmd'” to break out of the copy (…) context and achieve arbitrary command execution on the pgAdmin server, or “) TO ‘\/path'” for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable.<\/p>\n

Fix adds a parens-balance parser modeled on psql’s strtokx tokenizer, allow-lists format\/on_error\/log_verbosity, rejects null bytes in the query, and tightens type and gating checks.<\/p>\n

This issue affects pgAdmin 4: before 9.15.<\/p>\n

Severity: 8.8 | HIGH<\/p>\n

Visit the link for more details, such as CVSS details, affected products, timeline, and more…\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

CVE ID :CVE-2026-7816 Published : May 11, 2026, 4:17 p.m. | 41\u00a0minutes ago Description :OS command injection (CWE-78) vulnerability in pgAdmin 4 Import\/Export query export. User-supplied input was interpolated directly into a psql copy metacommand template without sanitization. An authenticated user could inject “) TO PROGRAM ‘cmd’” to break out of the copy (…) context …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-78271","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/78271","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=78271"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/78271\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=78271"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=78271"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=78271"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}