External risk intelligence

Stored Cross-Site Scripting in pgAdmin 4 Error and Explain Rendering

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-12048

pgAdmin is a database management tool typically deployed in internal, protected administrative environments or on local workstations. While web-based, it is generally not exposed directly to the public internet, usually requiring VPN or internal network access for reachability. Public internet exposure is uncommon and generally considered a misconfiguration.

Cross-site Scripting

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A stored cross-site scripting vulnerability in pgAdmin 4 could allow an attacker to inject malicious HTML and JavaScript into the application's interface, potentially redirecting users to fraudulent sites. This threat affects the way pgAdmin handles data returned from a PostgreSQL server, bypassing typical security measures.

  • Malicious code can be inserted into pgAdmin.
  • It makes phishing attacks within pgAdmin possible.
  • Confirm relevance and exposure for your operations.

Attack Path

How an attacker could exploit the issue

An attacker can inject malicious HTML into the pgAdmin interface by controlling text displayed by a PostgreSQL server, such as object names in error messages or EXPLAIN output. This injection occurs when a user's pgAdmin connects to the attacker-controlled server or views crafted data, allowing arbitrary HTML, including iframes, to be rendered directly within the legitimate pgAdmin window. This could lead to a phishing attack, as the deceptive content would be indistinguishable from genuine pgAdmin elements, and could redirect the user's browser tab to an attacker-controlled site.

  • Requires attacker-controlled server.
  • Vulnerable to injected HTML/iframes.
  • Risk of phishing and redirection.

Live Threat

Current exploitation, exposure, and threat context

When pgAdmin connects to a PostgreSQL server that an attacker controls, or a server returning attacker-influenced text, arbitrary HTML could be injected into the pgAdmin interface. This could lead to a phishing page that is indistinguishable from a genuine pgAdmin dialog, potentially redirecting the user's browser tab to an attacker-controlled URL.

  • User's pgAdmin session.
  • Crafted database objects or error messages.
  • User redirection to malicious sites.

Operational Fix

Recommended remediation, mitigation, and detection steps

The stored cross-site scripting vulnerability in pgAdmin 4 affects its error and plan-node rendering paths, allowing an attacker to inject arbitrary HTML and JavaScript by controlling text returned by a PostgreSQL server. This could lead to phishing attacks by redirecting users to attacker-controlled URLs within the legitimate pgAdmin interface. The fix involves DOMPurify sanitization, a new plain-text rendering contract, and backend HTML escaping. Identifying affected instances, confirming business criticality and reachability, and coordinating with vendor management are key first steps for remediation.

  • Application owners should manage the issue.
  • Verify server-controlled text inputs.
  • Plan remediation with vendor coordination.

Supplementary metadata

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is pgAdmin 4 and how is it used?

pgAdmin 4 is a popular open-source administration and development platform for PostgreSQL databases. It provides a graphical interface for managing database objects, running SQL queries, and analyzing database performance. Users typically run it as a web-based application or a desktop tool to interact with PostgreSQL servers.

What does CVE-2026-12048 mean for pgAdmin users?

This vulnerability is a Stored Cross-Site Scripting (XSS) issue. It means pgAdmin incorrectly processes certain text returned by a PostgreSQL server—like error messages or query plan details—as active HTML code. An attacker can craft this text to inject malicious scripts into your pgAdmin session, which the application then executes as if it were legitimate content.

How does an attacker trigger this vulnerability?

The vulnerability is triggered when your pgAdmin client connects to a malicious or compromised PostgreSQL server. If you view an error message or a query plan containing crafted database object names, the application renders the hidden malicious HTML. Simply viewing standard, non-malicious data or connecting to trusted databases does not trigger the bug.

Is my pgAdmin instance at risk?

Halo Surface Signal identifies that pgAdmin is typically deployed in internal, protected environments or on local workstations, meaning direct public internet exposure is uncommon. While the threat is high if you connect to untrusted servers, your specific risk level depends on whether your pgAdmin instance is reachable from the internet or restricted to your internal network.

What should I do to secure my pgAdmin installation?

First, identify all pgAdmin instances running in your environment. Prioritize those that connect to external or untrusted database sources. Check for updates from the pgAdmin project that incorporate the new sanitization and plain-text rendering updates, and coordinate with your vendor or maintenance team to apply these patches as soon as they are available.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished