|
1091
|
7.5 |
HIGH
Network
|
-
|
-
|
After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the se…
New
|
CWE-416
Use After Free
|
CVE-2026-8336
|
2026-05-14 00:34 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1092
|
9.9 |
CRITICAL
Network
|
-
|
-
|
Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules.
Multiple endpoints fetched user-owned objects witho…
New
|
CWE-284
Improper Access Control
|
CVE-2026-7813
|
2026-05-14 00:34 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1093
|
4.8 |
MEDIUM
Network
|
-
|
-
|
Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules.
User-controlled PostgreSQL object names (database, schema, table, column, etc.) were assigne…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-7814
|
2026-05-14 00:34 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1094
|
8.8 |
HIGH
Network
|
-
|
-
|
SQL injection vulnerability in pgAdmin 4 Maintenance Tool.
Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly i…
New
|
CWE-89
SQL Injection
|
CVE-2026-7815
|
2026-05-14 00:34 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1095
|
8.8 |
HIGH
Network
|
-
|
-
|
OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export.
User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An aut…
New
|
CWE-89
SQL Injection
|
CVE-2026-7816
|
2026-05-14 00:34 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1096
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints.
User-supplied api_key_file and api_url preferences were passed to the …
New
|
CWE-552
Files or Directories Accessible to External Parties
|
CVE-2026-7817
|
2026-05-14 00:34 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1097
|
7.0 |
HIGH
Local
|
-
|
-
|
Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager.
The session manager performed unsafe deserialization of session-file contents (using Python's standard object-seria…
New
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-7818
|
2026-05-14 00:34 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1098
|
8.1 |
HIGH
Network
|
-
|
-
|
Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager.
check_access_permission used os.path.abspath, which resolves '..' but does not resolve symbolic links, while the subsequent k…
New
|
CWE-61
UNIX Symbolic Link (Symlink) Following
|
CVE-2026-7819
|
2026-05-14 00:34 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1099
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4.
pgAdmin enforces MAX_LOGIN_ATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login…
New
|
CWE-307
mproper Restriction of Excessive Authentication Attempts
|
CVE-2026-7820
|
2026-05-14 00:34 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1100
|
- |
|
-
|
-
|
Improper input validation in FacAtFunction in Galaxy Watch prior to SMR May-2026 Release 1 allows local attacker to execute arbitrary code with system privilege.
New
|
-
|
CVE-2026-21019
|
2026-05-14 00:33 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
