CVE-2025-12763: pgAdmin 4 has command injection vulnerability on Windows systems

November 13, 2025

pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input.

References

github.com/advisories/GHSA-rm79-x4g6-hvg5
github.com/pgadmin-org/pgadmin4
github.com/pgadmin-org/pgadmin4/commit/e374edc69239b3e02ecde895e27d9f9e488b87ee
github.com/pgadmin-org/pgadmin4/issues/9323
nvd.nist.gov/vuln/detail/CVE-2025-12763

Code Behaviors & Features

Detect and mitigate CVE-2025-12763 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →