Unrated

Stored XSS in pgAdmin 4 error and EXPLAIN rendering

IdentifiersCVE-2026-12048CWE-79

CVE-2026-12048 is a stored cross-site scripting vulnerability in pgAdmin 4 affecting versions 6.0 through before 9.16. The flaw is in pgAdmin’s error-rendering and plan-node-rendering paths, where text returned by a PostgreSQL server was passed verbatim through html-react-parser into multiple user-facing UI sinks without adequate sanitization. Affected sinks included notifier toasts, form help and error areas, modal alert content, delete confirmations, ToolErrorView, SQL editor confirmation dialogs, preferences helper alerts, theme helper text, and the Explain visualiser’s NodeText panel. Exploitable input sources included PostgreSQL ErrorResponse messages and EXPLAIN output fields such as Recheck Cond and Exact Heap Blocks, as well as attacker-influenced object names such as crafted table or column names reflected by the server in error text or plans. As a result, an attacker controlling a PostgreSQL server, or a low-privilege database user able to create crafted object names on a server later viewed by a victim through pgAdmin, could inject arbitrary HTML into the pgAdmin DOM.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary HTML injection into the pgAdmin interface and can be leveraged for script execution in the browser context of the victim’s pgAdmin session. The advisory specifically notes iframe injection via srcdoc that can load attacker-served JavaScript and then redirect the top-level pgAdmin tab by writing to parent.location. This enables highly convincing in-application phishing because the malicious content is rendered inside the legitimate pgAdmin window, and standard anti-clickjacking controls such as X-Frame-Options and CSP frame-ancestors do not mitigate it. The provided context also states this could lead to credential theft and unauthorized database operations across active connections.

Mitigation

If you can’t patch tonight, do this now.

No dedicated vendor workaround is described beyond patching. Until upgraded, avoid connecting pgAdmin to untrusted or attacker-controlled PostgreSQL servers, and avoid viewing EXPLAIN plans, error messages, or other UI content derived from low-trust databases where attackers can influence object names or server-returned text. Restrict which users can create database objects on shared servers accessed through pgAdmin where possible.

Remediation

Patch, then assume compromise.

Upgrade pgAdmin 4 to version 9.16 or later. The fix consists of multiple layers: DOMPurify sanitization was added around affected html-react-parser call sites in notifier, alert, form-error, Explain, and SQL-editor flows; a new plain-text rendering contract was introduced via SafeMessage and SafeHtmlMessage components and Notifier text helper methods, with numerous callers migrated away from rendering backend-derived strings as HTML; backend HTML escaping was added in execute_post_connection_sql through sanitize_external_text so external consumers do not receive raw markup; and the Explain renderer was patched to escape Recheck Cond and Exact Heap Blocks fields for defense in depth.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

PgadminPgadmin 4application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

cyber security newsNews

Jun 22, 2026

pgAdmin 4 Released With Fixes for Seven Security Vulnerabilities and New Features

A critical stored cross-site scripting vulnerability in pgAdmin 4 that allows malicious scripts in PostgreSQL error messages or query plans to execute in the pgAdmin interface.

cvefeed high severityNews

Jun 18, 2026

CVE-2026-12048 - pgAdmin 4: Stored XSS via untrusted error and plan-node text rendered through html-react-parser

A critical stored cross-site scripting vulnerability in pgAdmin 4 that allows attacker-controlled PostgreSQL server responses or attacker-influenced object names to inject arbitrary HTML into the pgAdmin interface, enabling phishing-style redirection and UI compromise.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-12048

NVD

nvd.nist.gov/vuln/detail/CVE-2026-12048

MITRE CWE · CWE-79

cwe.mitre.org