AI description
CVE-2025-13780 is a remote code execution (RCE) vulnerability affecting pgAdmin versions up to 9.10. It occurs when running in server mode and performing restores from PLAIN-format dump files. The vulnerability stems from the application's "regex firewall" failing to properly filter out dangerous psql meta-commands, which can execute operating system commands. Attackers can inject and execute arbitrary commands on the server hosting pgAdmin by bypassing the regex filter with strategically placed whitespace characters in SQL files. These whitespace characters, such as carriage returns, are recognized by psql but not by the regex filter, allowing malicious code to be executed during database restoration. pgAdmin version 9.11 addresses this vulnerability.
- Description
- pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.
- Source
- f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
- NVD status
- Analyzed
- Products
- pgadmin_4
CVSS 3.1
- Type
- Primary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-94
- Hype score
- Not currently trending
https://t.co/cOg33vG2NJ When Regex Isn’t Enough: How We Discovered CVE-2025-13780 in pgAdmin
@BentleyAudrey
18 Dec 2025
614 Impressions
2 Retweets
12 Likes
2 Bookmarks
0 Replies
0 Quotes
🚨 Critical RCE in pgAdmin 4 (≤ v9.10): CVE-2025-13780 Bypasses regex filter on PLAIN dump restores using whitespace tricks – attackers run arbitrary shell commands! Patch to v9.11+ NOW if in server mode. Details: https://t.co/sCMfayJyLg #CyberSecurity #PostgreSQL #pgAd
@Manikandanbas03
17 Dec 2025
71 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
pgAdmin に深刻な脆弱性(CVE-2025-13780) https://t.co/TaqaY4BdZ1 #セキュリティ対策Lab #セキュリティ #Security
@securityLab_jp
17 Dec 2025
268 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨:CVE-2025-13780 : pgAdmin are Affected by A Remote Code Execution (RCE) Vulnerability. It affects versions up to 9.10. 🔥PoC :https://t.co/G6VnT4AarK 📊189.9K Services are found on the https://t.co/ysWb28Crld yearly. 🔗Hunter Link:https://t.co/H4H1mAxBfO 👇Qu
@HunterMapping
16 Dec 2025
9845 Impressions
28 Retweets
128 Likes
73 Bookmarks
2 Replies
1 Quote
When Regex Isn’t Enough: How We Discovered #CVE-2025-13780 in #pgAdmin https://t.co/K2FQ188m2O
@kmkz_security
16 Dec 2025
3316 Impressions
7 Retweets
33 Likes
13 Bookmarks
0 Replies
0 Quotes
Vulnerabilidad crítica en pgAdmin La herramienta de gestión de bases de datos PostgreSQL de código abierto ⚠️ CVE-2025-13780 https://t.co/BBjhwrNxsb https://t.co/FIrk8BLNcG
@elhackernet
15 Dec 2025
4910 Impressions
20 Retweets
70 Likes
20 Bookmarks
0 Replies
0 Quotes
⚠️ pgAdmin Vulnerability Let Attackers Execute Shell Commands on the Host Source: https://t.co/qS356B6pRI A severe security vulnerability has been uncovered in pgAdmin 4, the popular open-source PostgreSQL database management tool. Tracked as CVE-2025-13780, this critical
@The_Cyber_News
15 Dec 2025
3770 Impressions
28 Retweets
93 Likes
13 Bookmarks
0 Replies
1 Quote
CVE-2025-13780 Critical pgAdmin Vulnerability Let Attackers Execute Shell Commands on the Host Read the full report on - https://t.co/mt5uGjeuP6 https://t.co/ry4ejP5Jiw
@Iambivash007
15 Dec 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
pgAdmin 4 flaw CVE-2025-13780 allows remote code execution via crafted restore files, letting attackers run shell commands on host systems. Users should patch or mitigate immediately. #RCE https://t.co/Cc36e9Szc9
@threatcluster
15 Dec 2025
49 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨🚨 CVE-2025-13780 (CVSS: 9.1): pgAdmin4 Meta-Command Filter Command Execution pgAdmin 4 < 9.11 fails to detect meta-commands when a SQL file starts with UTF-8 BOM, leading to remote command execution during restore. 🔥 PoC: https://t.co/XRlUUB3arH Search by vul.cve ht
@zoomeye_team
15 Dec 2025
11244 Impressions
41 Retweets
163 Likes
85 Bookmarks
2 Replies
3 Quotes
CVE-2025-13780 pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-for… https://t.co/eN4ZOX04MU
@CVEnew
13 Dec 2025
181 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
PgAdmin4 affected by Meta-Command Filter Command Execution (CVE-2025-13780). Update to the latest secure version to prevent system compromise. https://t.co/yXqB43Oqty
@pulsepatchio
13 Dec 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
GitHub - zeropwn/pgadmin4-9.10-CVE-2025-13780: Proof of concept for CVE-2025-13780 - https://t.co/BhEuTnddz5
@piedpiper1616
12 Dec 2025
1627 Impressions
5 Retweets
14 Likes
7 Bookmarks
0 Replies
0 Quotes
in november, i reported an RCE that bypassed the patch for CVE-2025-12762 in versions 9.10 of pgadmin4. it has now been patched in the latest release 9.11 and tracked as CVE-2025-13780 https://t.co/o8fxY6XKYO
@zer0pwn
11 Dec 2025
477 Impressions
0 Retweets
7 Likes
1 Bookmark
0 Replies
0 Quotes
[CVE-2025-13780: CRITICAL] Critical Remote Code Execution vulnerability discovered in pgAdmin versions up to 9.10 when restoring PLAIN-format dump files in server mode. Attackers can inject and execute comma...#cve,CVE-2025-13780,#cybersecurity https://t.co/eLUgbdlqHQ https://t.c
@CveFindCom
11 Dec 2025
19 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pgadmin:pgadmin_4:*:*:*:*:*:postgresql:*:*",
"vulnerable": true,
"matchCriteriaId": "31BFDAD3-B87D-46DD-9984-3000087309DD",
"versionEndIncluding": "9.10"
}
],
"operator": "OR"
}
]
}
]