|
1541
|
2.7 |
LOW
Network
|
-
|
-
|
When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted.
This is…
New
|
CWE-532
Inclusion of Sensitive Information in Log Files
|
CVE-2026-8200
|
2026-05-14 00:34 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1542
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Using a densely populated chars mask and a large input string in the MongoDB aggregation operators $trim, $ltrim, and $rtrim, an authenticated user with aggregation permissions can pin CPU utilizatio…
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-8202
|
2026-05-14 00:34 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1543
|
4.8 |
MEDIUM
Network
|
-
|
-
|
Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules.
User-controlled PostgreSQL object names (database, schema, table, column, etc.) were assigne…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-7814
|
2026-05-14 00:34 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1544
|
9.9 |
CRITICAL
Network
|
-
|
-
|
Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules.
Multiple endpoints fetched user-owned objects witho…
Update
|
CWE-284
Improper Access Control
|
CVE-2026-7813
|
2026-05-14 00:34 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1545
|
8.8 |
HIGH
Network
|
-
|
-
|
SQL injection vulnerability in pgAdmin 4 Maintenance Tool.
Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly i…
Update
|
CWE-89
SQL Injection
|
CVE-2026-7815
|
2026-05-14 00:34 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1546
|
8.8 |
HIGH
Network
|
-
|
-
|
OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export.
User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An aut…
Update
|
CWE-89
SQL Injection
|
CVE-2026-7816
|
2026-05-14 00:34 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1547
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints.
User-supplied api_key_file and api_url preferences were passed to the …
Update
|
CWE-552
Files or Directories Accessible to External Parties
|
CVE-2026-7817
|
2026-05-14 00:34 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1548
|
7.0 |
HIGH
Local
|
-
|
-
|
Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager.
The session manager performed unsafe deserialization of session-file contents (using Python's standard object-seria…
Update
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-7818
|
2026-05-14 00:34 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1549
|
8.1 |
HIGH
Network
|
-
|
-
|
Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager.
check_access_permission used os.path.abspath, which resolves '..' but does not resolve symbolic links, while the subsequent k…
Update
|
CWE-61
UNIX Symbolic Link (Symlink) Following
|
CVE-2026-7819
|
2026-05-14 00:34 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1550
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4.
pgAdmin enforces MAX_LOGIN_ATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login…
Update
|
CWE-307
mproper Restriction of Excessive Authentication Attempts
|
CVE-2026-7820
|
2026-05-14 00:34 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
