Unrated

Stored XSS in pgAdmin 4 error and EXPLAIN rendering

IdentifiersCVE-2026-12048CWE-79

CVE-2026-12048 is a stored cross-site scripting vulnerability in pgAdmin 4 affecting versions 6.0 through before 9.16. The flaw is caused by pgAdmin passing PostgreSQL server-supplied text verbatim through html-react-parser across multiple user-facing rendering paths, including error-rendering and EXPLAIN plan node rendering. Affected sinks include notifier toasts, form help/error components, modal alert content, deletion confirmations, tool error views, the Explain visualiser NodeText panel, SQL editor confirmation dialogs, preferences helper alerts, and related helper text paths. Exploitation is possible when a PostgreSQL server controlled by an attacker returns crafted ErrorResponse content, or when attacker-influenced object names such as table or column names are reflected in server responses or EXPLAIN output fields including relation-does-not-exist errors and EXPLAIN Recheck Cond / Exact Heap Blocks fields. Because the returned text was rendered as HTML, an attacker could inject arbitrary markup into the pgAdmin DOM, including iframe elements. The issue also affected post-connection SQL handling prior to the addition of backend escaping via sanitize_external_text.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary HTML injection into the pgAdmin interface in the victim's browser session. The documented attack path includes injecting an iframe whose srcdoc loads attacker-controlled JavaScript and then redirects the top-level pgAdmin tab via parent.location to attacker-controlled content. This enables highly convincing phishing or UI redressing within the legitimate pgAdmin window and can mislead users into disclosing credentials or taking attacker-directed actions. The advisory specifically notes that anti-clickjacking controls such as X-Frame-Options and CSP frame-ancestors do not mitigate this scenario because the malicious content is injected inside pgAdmin's own DOM. The provided metadata rates the issue Critical with CVSS 9.3.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, avoid connecting pgAdmin to untrusted or attacker-controlled PostgreSQL servers. Avoid viewing EXPLAIN plans, error messages, or other UI content derived from low-trust databases where low-privilege users can create attacker-controlled object names such as tables or columns. Restrict which database servers users may register in pgAdmin and limit exposure to shared or hostile PostgreSQL environments until patched. No complete workaround equivalent to the vendor fix is provided in the available content.

Remediation

Patch, then assume compromise.

Upgrade pgAdmin 4 to version 9.16 or later. The fix consists of three layers: DOMPurify sanitization around vulnerable html-react-parser call sites reachable from notifier, alert, form-error, Explain, and SQL-editor flows; migration to a plain-text rendering contract using SafeMessage / SafeHtmlMessage components and Notifier text helpers for backend-derived strings; and backend HTML escaping in execute_post_connection_sql via sanitize_external_text so external consumers do not receive raw markup. The Explain plan-info renderer was also patched to escape Recheck Cond and Exact Heap Blocks fields for defense in depth.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

PgadminPgadmin 4application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

cvefeed high severityNews

Jun 18, 2026

CVE-2026-12048 - pgAdmin 4: Stored XSS via untrusted error and plan-node text rendered through html-react-parser

A critical stored cross-site scripting vulnerability in pgAdmin 4 that allows attacker-controlled PostgreSQL server responses or attacker-influenced object names to inject arbitrary HTML into the pgAdmin interface, enabling phishing-style redirection and UI compromise.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-12048

NVD

nvd.nist.gov/vuln/detail/CVE-2026-12048

MITRE CWE · CWE-79

cwe.mitre.org