CVE-2025-12764

Published Nov 13, 2025

Last updated 4 months ago

CVSS high 7.5

Overview

Description
pgAdmin <= 9.9  is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username, causing the DC/LDAP server and the client to process an unusual amount of data DOS.
Source
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
NVD status
Analyzed
Products
pgadmin_4

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-90

Social media

Hype score
Not currently trending

  1. pgAdmin patched four flaws. The Critical RCE (CVE-2025-12762) risks arbitrary code execution via malicious PostgreSQL dump files. LDAP Injection (CVE-2025-12764) and TLS Bypass were also fixed. Update to v9.10. #pgAdmin #RCE #Cybersecurity #PostgreSQL https://t.co/2smCTmL72d

    @the_yellow_fall

    17 Nov 2025

    24 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-12764 pgAdmin &lt;= 9.9  is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the userna… https://t.co/zFdQG4LFkO

    @CVEnew

    13 Nov 2025

    142 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore operation, extract the `\restrict` key in real time, and race the restore process by overwriting the restore script with a payload that re-enables meta-commands using `\unrestrict <key>`. This results in reliable command execution on the pgAdmin host during the restore operation.CVE-2026-1707
  2. pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.CVE-2025-13780
  3. pgAdmin <= 9.9  is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification.CVE-2025-12765
  4. pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input.CVE-2025-12763
  5. pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.CVE-2025-12762

References

Sources include official advisories and independent security research.