CVE-2026-7814

Published: Mag 11, 2026 Last Modified: Mag 11, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 4,8
Source: f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
Attack Vector: network
Attack Complexity: low
Privileges Required: high
User Interaction: passive
Confidentiality: N/A
Integrity: N/A
Availability: N/A
MEDIUM 4,8
Source: f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
Attack Vector: network
Attack Complexity: low
Privileges Required: high
User Interaction: required
Scope: changed
Confidentiality: low
Integrity: low
Availability: none

Description

AI Translation Available

Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules.

User-controlled PostgreSQL object names (database, schema, table, column, etc.) were assigned to DOM elements via innerHTML, allowing crafted object names containing HTML markup to execute attacker-supplied JavaScript in the browser of any pgAdmin user who navigated to or executed EXPLAIN over the malicious object.

Fix replaces innerHTML with textContent.

This issue affects pgAdmin 4: before 9.15.

https://github.com/pgadmin-org/pgadmin4/pull/9865
https://github.com/pgadmin-org/pgadmin4/pull/9865