Unrated

Stored XSS in pgAdmin 4 error and EXPLAIN plan rendering

IdentifiersCVE-2026-12048CWE-79

CVE-2026-12048 is a stored cross-site scripting vulnerability in pgAdmin 4 affecting versions 6.0 before 9.16. The flaw exists in error-rendering and plan-node-rendering paths where text returned by a PostgreSQL server was passed verbatim through html-react-parser into multiple user-facing sinks, including notifier toasts, form help/error components, modal alert content, ToolErrorView, SQL editor confirmation dialogs, and the Explain visualizer NodeText panel. Attacker-controlled content could originate from a malicious PostgreSQL server via ErrorResponse messages, or from attacker-influenced database object names such as crafted table or column names reflected in relation-does-not-exist errors or EXPLAIN fields including Recheck Cond and Exact Heap Blocks. Because this backend-derived text was rendered as HTML without adequate sanitization, arbitrary HTML could be injected into the pgAdmin DOM.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary HTML injection into the pgAdmin interface in the victim's browser session. The advisory specifically notes iframe injection, where an injected iframe using srcdoc can load attacker-served JavaScript and then redirect the top-level pgAdmin tab via parent.location to attacker-controlled content. This enables highly convincing phishing within the legitimate pgAdmin window and can lead to credential theft and unauthorized database operations across active connections. Standard anti-clickjacking controls such as X-Frame-Options and CSP frame-ancestors do not mitigate this case because the malicious content is injected inside pgAdmin's own DOM.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, avoid using pgAdmin to connect to untrusted or attacker-controlled PostgreSQL servers. Also avoid viewing EXPLAIN plans, error messages, or other server-returned content from low-trust databases where unprivileged users can create attacker-controlled object names such as tables or columns. These are temporary risk-reduction measures only; no complete workaround is provided in the advisory.

Remediation

Patch, then assume compromise.

Upgrade pgAdmin 4 to version 9.16 or later. The fix includes three layers: DOMPurify sanitization around affected html-react-parser call sites; introduction of a plain-text rendering contract using SafeMessage/SafeHtmlMessage and notifier text helpers to prevent unsafe rendering of backend-derived strings; and backend HTML escaping through sanitize_external_text in execute_post_connection_sql, plus escaping of Explain renderer fields such as Recheck Cond and Exact Heap Blocks for defense in depth.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

PgadminPgadmin 4application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cyber security newsNews

Jun 22, 2026

pgAdmin 4 Released With Fixes for Seven Security Vulnerabilities and New Features

A critical stored cross-site scripting vulnerability in pgAdmin 4 that allows malicious scripts in PostgreSQL error messages or query plans to execute in the pgAdmin interface.

cvefeed high severityNews

Jun 18, 2026

CVE-2026-12048 - pgAdmin 4: Stored XSS via untrusted error and plan-node text rendered through html-react-parser

A critical stored cross-site scripting vulnerability in pgAdmin 4 that allows attacker-controlled PostgreSQL server responses or attacker-influenced object names to inject arbitrary HTML into the pgAdmin interface, enabling phishing-style redirection and UI compromise.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-12048

NVD

nvd.nist.gov/vuln/detail/CVE-2026-12048

MITRE CWE · CWE-79

cwe.mitre.org