CVE-2026-12048

Published Jun 19, 2026

Last updated 4 days ago

CVSS critical 9.3

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-12048 is a stored cross-site scripting (XSS) vulnerability affecting pgAdmin 4, specifically versions 6.0 through 9.15. This flaw arises from the improper handling of text returned by a PostgreSQL server, such as error messages, object names, and details within `EXPLAIN` plans. This unsanitized text was passed directly through `html-react-parser` into various user-facing elements of the pgAdmin interface. An attacker could exploit this by controlling a PostgreSQL server or by influencing object names, allowing them to inject arbitrary HTML, including iframes, into the pgAdmin Document Object Model (DOM). This injected content could then execute attacker-controlled JavaScript, potentially redirecting the victim's browser to malicious websites. Standard anti-clickjacking measures are ineffective against this vulnerability because the injection originates from within pgAdmin's own interface. The issue has been addressed in pgAdmin 4 version 9.16 through a multi-layered fix involving DOMPurify sanitization, new plain-text rendering components, and backend HTML escaping.

Description
Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server (ErrorResponse messages, including object names quoted back inside relation-does-not-exist errors and inside EXPLAIN Recheck Cond / Exact Heap Blocks fields) was passed verbatim through html-react-parser at every user-facing sink — the notifier toasts, FormFooterMessage / FormInput help and error areas, FormNote, ModalProvider AlertContent and confirmDelete, ToolErrorView, the Explain visualiser's NodeText panel, the SQL editor confirm dialogs, ConfirmSaveContent, PreferencesHelper modal alerts, and SelectThemes helper text. A PostgreSQL server an attacker controls — or any server returning attacker-influenced text such as a table or column name a low-privilege database user can create — could inject arbitrary HTML (including <iframe>) into the pgAdmin DOM the moment the victim's pgAdmin connected to that server or viewed an Explain plan that referenced the crafted object. The injected iframe's srcdoc could fetch attacker-served JavaScript and, by writing to parent.location, redirect the victim's top-level pgAdmin browser tab to an attacker-controlled URL. Because the injection originates from inside pgAdmin's own interface, standard anti-clickjacking controls (X-Frame-Options, Content-Security-Policy: frame-ancestors) do not mitigate it. A phishing page rendered inside the legitimate pgAdmin window is indistinguishable from a genuine pgAdmin dialog. Fix combines three complementary layers. (1) DOMPurify sanitisation is wrapped around every html-react-parser call site reachable from notifier, alert, form-error, Explain, and SQL-editor flows. (2) A new plain-text rendering contract — SafeMessage / SafeHtmlMessage components plus Notifier.errorText / alertText / warningText / infoText / successText helpers — is introduced; around fifty callers across browser, tools, dashboard, debugger, misc, llm, preferences, schema diff, and the SQL editor that previously interpolated backend-derived strings are migrated to the plain-text variants. (3) Backend HTML-escape is applied at the post-connection-SQL handler (execute_post_connection_sql) via a new sanitize_external_text helper, so third-party JSON consumers (audit logs, API clients) never receive raw markup either; the Explain plan-info renderer is also patched to _.escape Recheck Cond and Exact Heap Blocks at construction (matching every sibling field), giving defence in depth even before DOMPurify runs. This issue affects pgAdmin 4: from 6.0 before 9.16.
Source
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
NVD status
Received

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Secondary
Base score
9.3
Impact score
5.8
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Severity
CRITICAL

Weaknesses

f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
CWE-79

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

9

  1. ⚠️⚠️ CVE-2026-12046 (CVSS 9.5) + CVE-2026-12045 + CVE-2026-12048 (CVSS 9.3): pgAdmin 4 server-mode flaws enable unauth RCE and stored XSS in PostgreSQL admin UI. 🔗FOFA Link: https://t.co/U7JSrUmayI 🎯66.4K+ Results are found on https://t.co/NBEEGu7ePJ in the past yea

    @fofabot

    22 Jun 2026

    4221 Impressions

    12 Retweets

    30 Likes

    20 Bookmarks

    0 Replies

    0 Quotes

  2. pgAdmin 4で重大(Critical)な脆弱性3件が修正。安全でないピクルのデシリアライゼーションCVE-2026-12046がCVSSスコア9.5、AIアシスタントの読み取り専用トランザクション回避CVE-2026-12045が9.4、蓄積型XSSのCVE-2026-12048が9.

    @__kokumoto

    22 Jun 2026

    686 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  3. Three critical pgAdmin 4 vulnerabilities (CVE-2026-12046, CVE-2026-12048, CVE-2026-12045) risk XSS and RCE. Update to pgAdmin 4 9.16 now. #pgAdmin #PostgreSQL #XSS #RCE #CVE #Vulnerability https://t.co/RHAfR82LDP https://t.co/msfkHZZ9l1

    @the_yellow_fall

    22 Jun 2026

    470 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.