CVE-2026-7816

HIGH 8.8

pgAdmin 4: OS command injection in Import/Export query export via psql metacommand breakout

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export. User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable. Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks. This issue affects pgAdmin 4: before 9.15.

Vendor	pgadmin.org
Product	pgadmin 4
Published	May 11, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for pgadmin.org pgadmin 4

Be the first to know when new high vulnerabilities affecting pgadmin.org pgadmin 4 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

pgadmin.org / pgAdmin 4

9.4 < 9.15

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/pgadmin-org/pgadmin4/issues/9899

Credits

Chung Kim (chungkn), OneMount Group