Access Control Flaw in phpPgAdmin Affects User Session Security
CVE-2025-60799

6.1MEDIUM

Key Information:

Vendor: phpPgAdmin
Status: phpPgAdmin
Vendor: CVE Published:; 20 November 2025

What is CVE-2025-60799?

phpPgAdmin versions 7.13.0 and earlier contain an access control vulnerability in the sql.php file. This flaw enables unauthorized manipulation of session variables by accepting user-controlled parameters, such as 'subject', 'server', 'database', and 'queryid', without adequate validation. Attackers can exploit this weakness to inject arbitrary SQL queries into the session, potentially leading to session poisoning, stored cross-site scripting, or unauthorized access to sensitive data within user sessions.

References

https://github.com/phppgadmin/phppgadmin/blob/master/sql....

https://github.com/pr0wl1ng/security-advisories/blob/main...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 20, 2025
Vulnerability Reserved
Sep 26, 2025

JSON