What is the CVE-2025-12762 vulnerability in pgAdmin4?

CVE-2025-12762 is a critical remote code execution vulnerability (CVSS score 9.3) in pgAdmin4. It is a code injection flaw that allows attackers to execute arbitrary commands on the server during restore operations from PLAIN-format dump files.

Which versions of pgAdmin4 are affected by this vulnerability?

The vulnerability affects all pgAdmin4 versions up to and including version 9.9.

How can the CVE-2025-12762 vulnerability be exploited?

An attacker with low-level authenticated access can exploit this by crafting a malicious PostgreSQL PLAIN-format dump file. When this file is restored in pgAdmin4's server mode, the embedded commands are executed, potentially giving the attacker control over the database server.

How do I fix the CVE-2025-12762 vulnerability?

The fix is available in pgAdmin version 10.0. Organizations should immediately upgrade to version 10.0 or later to patch this vulnerability.

Are there any temporary mitigations if I cannot upgrade immediately?

Yes, temporary mitigations include disabling the PLAIN-format restore functionality if possible and implementing strict access controls to limit who can perform database restore operations.

Advisory

Critical remote code execution flaw reported in pgAdmin4

published: Nov. 15, 2025

Learn More

A critical remote code execution vulnerability is reported in been discovered in pgAdmin4 that could enable attackers to execute arbitrary commands on the hosting server, potentially compromising entire database infrastructures and exposing sensitive organizational data.

pgAdmin4 is extensively deployed in enterprise environments worldwide for managing PostgreSQL database systems.

The vulnerability is tracked as CVE-2025-12762 (CVSS score 9.3) - A code injection vulnerability that is caused by improper handling during server-mode restores from PLAIN-format dump files. The flaw allows authenticated attackers with low-level privileges to inject and execute malicious commands through a crafted PostgreSQL dump files.

PLAIN-format dump files are commonly used for backing up and migrating PostgreSQL database data. When the application processes these files during restore operations, it fails to properly validate and sanitize user-supplied inputs before executing system-level operations. An attacker who has obtained authenticated access to pgAdmin4, even with minimal privileges, could exploit this flaw by crafting a malicious dump file containing embedded commands or meta-commands. During restoration of the malicious file, pgAdmin4 would execute the injected code with the privileges of the application process, potentially granting the attacker complete control over the database server.

The vulnerability affects pgAdmin4 versions up to and including version 9.9. The pgAdmin development team addressed the issue through GitHub issue #9320, which documented the need to block restore operations when PLAIN SQL files contain meta-commands.

The fix is released in pgAdmin version 10.0. Organizations should upgrade to pgAdmin 10.0 or later versions. For organizations unable to upgrade immediately, temporary mitigations include disabling PLAIN-format restore functionality if operationally feasible and implementing strict access controls to limit who can perform database restore operations.

Critical remote code execution flaw reported in pgAdmin4

Read More
Malicious code injected Ripple's xrpl.js npm package, compromises …
Fortinet warns of active exploitation of 2FA Bypass …
Critical vulnerability in Apache OFBiz reported, expecting exploits
CISA warns of active exploits of old Oracle …
QNAP patches critical SQL Injection flaw in QuMagie …