CVE-2026-7814 MEDIUM

CVE-2026-7814: pgAdmin 4: Stored XSS via crafted PostgreSQL object names in Browser Tree and Explain Visualizer

Vendor Pgadmin.org
Product pgAdmin 4
Published May 11, 2026
Last update May 11, 2026

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules. User-controlled PostgreSQL object names (database, schema, table, column, etc.) were assigned to DOM elements via innerHTML, allowing crafted object names containing HTML markup to execute attacker-supplied JavaScript in the browser of any pgAdmin user who navigated to or executed EXPLAIN over the malicious object. Fix replaces innerHTML with textContent. This issue affects pgAdmin 4: before 9.15.

Key dates

02Disclosure timeline

May 11, 2026 CVE published
May 11, 2026 Record updated