Back to KEVs

CVE-2025-12762

Remote Code Execution vulnerability when restoring PLAIN-format SQL dumps in server mode (pgAdmin 4)

Basic Information

CVE State
PUBLISHED
Reserved Date
November 05, 2025
Published Date
November 13, 2025
Last Updated
February 26, 2026
Vendor
pgadmin.org
Product
pgAdmin 4
Description
pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.

CVSS Scores

CVSS v3.1

9.1 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

SSVC Information

Exploitation
none
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-11-17 15:00:08 UTC) Source

References

https://github.com/pgadmin-org/pgadmin4/issues/9320

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-11-17 15:00:08 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel