Vulnerability DatabaseCVE-2025-12763
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-12763
November 13, 2025
pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input.
Affected Packages
pgadmin4 (PYTHON):
Affected version(s) >=4.20 <9.10
Fix Suggestion:
Update to version 9.10
https://github.com/pgadmin-org/pgadmin4.git (SCM_GIT):
Affected version(s) >=REL-1_0-BETA1 <REL-9_10
Fix Suggestion:
Update to version REL-9_10
Related ResourcesĀ (4)
https://github.com/pgadmin-org/pgadmin4
https://github.com/pgadmin-org/pgadmin4/issues/9323
https://github.com/pgadmin-org/pgadmin4/commit/e374edc69239b3e02ecde895e27d9f9e488b87ee
https://nvd.nist.gov/vuln/detail/CVE-2025-12763
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.5
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-78
EPSS
Base Score:
0.06