CVE-2025-12763
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-11-13
Last updated on: 2025-12-01
Assigner: PostgreSQL
Description
Description
pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pgadmin | pgadmin_4 | to 9.10 (exc) |
| microsoft | windows | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection issue in pgAdmin 4 versions up to 9.9 on Windows systems. It occurs because the software uses shell=True during backup and restore operations, which allows attackers to execute arbitrary system commands by providing specially crafted file path input.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can execute arbitrary system commands on the affected Windows system, potentially leading to full compromise of the system, including unauthorized access, data modification, or denial of service.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70