CVE-2025-2946: pgAdmin 4 Vulnerable to Cross-Site Scripting (XSS) via Query Result Rendering

April 3, 2025 (updated April 4, 2025)

pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute any arbitrary HTML/JavaScript in a user’s browser through query result rendering, then HTML/JavaScript runs on the browser.

References

github.com/advisories/GHSA-2rrx-pphc-qfv9
github.com/pgadmin-org/pgadmin4
github.com/pgadmin-org/pgadmin4/commit/1305d9910beefd0d6b4c7eb4f111f86edb1d356b
github.com/pgadmin-org/pgadmin4/issues/8602
nvd.nist.gov/vuln/detail/CVE-2025-2946

Code Behaviors & Features

Detect and mitigate CVE-2025-2946 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →