CVE-2025-60796: phppgadmin vulnerable to Cross-site Scripting
phpPgAdmin versions 7.13.0 and earlier contain multiple cross-site scripting (XSS) vulnerabilities across various components. User-supplied inputs from $_REQUEST parameters are reflected in HTML output without proper encoding or sanitization in multiple locations including sequences.php, indexes.php, admin.php, and other unspecified files. An attacker can exploit these vulnerabilities to execute arbitrary JavaScript in victims’ browsers, potentially leading to session hijacking, credential theft, or other malicious actions.
References
- github.com/advisories/GHSA-h369-cpjj-qfff
- github.com/phppgadmin/phppgadmin
- github.com/phppgadmin/phppgadmin/blob/master/admin.php
- github.com/phppgadmin/phppgadmin/blob/master/indexes.php
- github.com/phppgadmin/phppgadmin/blob/master/sequences.php
- github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60796.md
- nvd.nist.gov/vuln/detail/CVE-2025-60796
Code Behaviors & Features
Detect and mitigate CVE-2025-60796 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →