CVE-2026-12048
Received Received - Intake
Stored XSS in pgAdmin 4 Error and Plan Rendering Paths

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: PostgreSQL

Description
Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server (ErrorResponse messages, including object names quoted back inside relation-does-not-exist errors and inside EXPLAIN Recheck Cond / Exact Heap Blocks fields) was passed verbatim through html-react-parser at every user-facing sink β€” the notifier toasts, FormFooterMessage / FormInput help and error areas, FormNote, ModalProvider AlertContent and confirmDelete, ToolErrorView, the Explain visualiser's NodeText panel, the SQL editor confirm dialogs, ConfirmSaveContent, PreferencesHelper modal alerts, and SelectThemes helper text. A PostgreSQL server an attacker controls β€” or any server returning attacker-influenced text such as a table or column name a low-privilege database user can create β€” could inject arbitrary HTML (including <iframe>) into the pgAdmin DOM the moment the victim's pgAdmin connected to that server or viewed an Explain plan that referenced the crafted object. The injected iframe's srcdoc could fetch attacker-served JavaScript and, by writing to parent.location, redirect the victim's top-level pgAdmin browser tab to an attacker-controlled URL. Because the injection originates from inside pgAdmin's own interface, standard anti-clickjacking controls (X-Frame-Options, Content-Security-Policy: frame-ancestors) do not mitigate it. A phishing page rendered inside the legitimate pgAdmin window is indistinguishable from a genuine pgAdmin dialog. Fix combines three complementary layers. (1) DOMPurify sanitisation is wrapped around every html-react-parser call site reachable from notifier, alert, form-error, Explain, and SQL-editor flows. (2) A new plain-text rendering contract β€” SafeMessage / SafeHtmlMessage components plus Notifier.errorText / alertText / warningText / infoText / successText helpers β€” is introduced; around fifty callers across browser, tools, dashboard, debugger, misc, llm, preferences, schema diff, and the SQL editor that previously interpolated backend-derived strings are migrated to the plain-text variants. (3) Backend HTML-escape is applied at the post-connection-SQL handler (execute_post_connection_sql) via a new sanitize_external_text helper, so third-party JSON consumers (audit logs, API clients) never receive raw markup either; the Explain plan-info renderer is also patched to _.escape Recheck Cond and Exact Heap Blocks at construction (matching every sibling field), giving defence in depth even before DOMPurify runs. This issue affects pgAdmin 4: from 6.0 before 9.16.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-12048
EUVD
EUVD-2026-37968
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pgadmin pgadmin From 6.0 (inc) to 9.16 (exc)
pgadmin pgadmin 9.16
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the stored cross-site scripting vulnerability in pgAdmin 4 (CVE-2026-12048) directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-12048 is a stored cross-site scripting (XSS) vulnerability in pgAdmin 4 affecting versions from 6.0 before 9.16. The issue arises because text returned by a PostgreSQL server, including error messages and explain plan details, is passed directly through an HTML parser (html-react-parser) without proper sanitization. This allows an attacker controlling a PostgreSQL server or able to influence returned text (such as table or column names) to inject arbitrary HTML, including malicious iframes, into the pgAdmin user interface.

The injected iframe can load attacker-controlled JavaScript and redirect the victim's pgAdmin browser tab to a malicious URL. Because the injection happens inside pgAdmin's own interface, typical anti-clickjacking protections do not prevent this attack, making phishing pages appear as legitimate pgAdmin dialogs.

The fix involves three layers: frontend sanitization using DOMPurify on all HTML parsing points, introduction of safe plain-text rendering components to replace unsafe interpolations, and backend sanitization that HTML-escapes error messages before they reach the frontend.

Impact Analysis

This vulnerability can lead to an attacker injecting malicious HTML and JavaScript into the pgAdmin interface when you connect to a compromised or attacker-controlled PostgreSQL server. This can result in phishing attacks where malicious pages are rendered inside the legitimate pgAdmin window, potentially tricking users into divulging sensitive information.

Additionally, the attacker can redirect your pgAdmin browser tab to attacker-controlled URLs, potentially leading to further compromise or data theft.

Because the vulnerability exploits the way pgAdmin renders server-supplied text, even low-privilege database users who can create objects with crafted names can trigger the attack, increasing the risk.

Mitigation Strategies

To mitigate the stored cross-site scripting vulnerability in pgAdmin 4 (CVE-2026-12048), you should update pgAdmin 4 to version 9.16 or later, where the fix is included.

  • Apply the official patch that implements frontend sanitization using DOMPurify at all HTML parsing points.
  • Ensure backend sanitization is in place to HTML-escape PostgreSQL error messages before they reach the frontend.
  • Verify that the Explain visualizer fields (Recheck Cond and Exact Heap Blocks) are properly escaped to prevent injection.

These combined layers of defense prevent attacker-controlled HTML from being injected into the pgAdmin interface.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12048. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart