CVE-2025-12763 MEDIUM

CVE-2025-12763: Command injection vulnerability allowing arbitrary command execution on Windows

Vendor Pgadmin.org
Product pgAdmin 4
Published November 13, 2025
Last update February 26, 2026

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input.

Key dates

02Disclosure timeline

November 13, 2025 CVE published
February 26, 2026 Record updated