Stored Cross-Site Scripting Vulnerability in pgAdmin 4 by pgAdmin Org
CVE-2026-7814

4.8MEDIUM

Key Information:

Vendor: Pgadmin.org
Status: Pgadmin 4
Vendor: CVE Published:; 11 May 2026

🔔 Create Pgadmin.org Vulnerability Alert

What is CVE-2026-7814?

A stored Cross-Site Scripting (XSS) vulnerability exists in pgAdmin 4's Browser Tree and Explain Visualizer modules. This flaw allows user-controlled PostgreSQL object names—such as database, schema, table, and column—to be embedded into DOM elements via the innerHTML property. As a result, an attacker can insert crafted object names featuring HTML markup, enabling the execution of malicious JavaScript in the browser of any pgAdmin user who interacts with a compromised object. The vulnerability impacts versions of pgAdmin 4 prior to 9.15, which have been addressed by replacing innerHTML with the safer textContent property.

Affected Version(s)

pgAdmin 4 6.9

References

https://github.com/pgadmin-org/pgadmin4/pull/9865

patch

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 4, 2026

Credit

Fahar Abbas

CVE-2026-7814 Data

JSON