目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2026-12048— pgAdmin 4 存储型XSS漏洞

CVSS 9.3 · Critical EPSS 0.21% · P11

影响版本矩阵 1

厂商产品版本范围状态
pgadmin.orgpgAdmin 46.0< 9.16affected
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2026-12048 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
pgAdmin 4: Stored XSS via untrusted error and plan-node text rendered through html-react-parser
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server (ErrorResponse messages, including object names quoted back inside relation-does-not-exist errors and inside EXPLAIN Recheck Cond / Exact Heap Blocks fields) was passed verbatim through html-react-parser at every user-facing sink — the notifier toasts, FormFooterMessage / FormInput help and error areas, FormNote, ModalProvider AlertContent and confirmDelete, ToolErrorView, the Explain visualiser's NodeText panel, the SQL editor confirm dialogs, ConfirmSaveContent, PreferencesHelper modal alerts, and SelectThemes helper text. A PostgreSQL server an attacker controls — or any server returning attacker-influenced text such as a table or column name a low-privilege database user can create — could inject arbitrary HTML (including <iframe>) into the pgAdmin DOM the moment the victim's pgAdmin connected to that server or viewed an Explain plan that referenced the crafted object. The injected iframe's srcdoc could fetch attacker-served JavaScript and, by writing to parent.location, redirect the victim's top-level pgAdmin browser tab to an attacker-controlled URL. Because the injection originates from inside pgAdmin's own interface, standard anti-clickjacking controls (X-Frame-Options, Content-Security-Policy: frame-ancestors) do not mitigate it. A phishing page rendered inside the legitimate pgAdmin window is indistinguishable from a genuine pgAdmin dialog. Fix combines three complementary layers. (1) DOMPurify sanitisation is wrapped around every html-react-parser call site reachable from notifier, alert, form-error, Explain, and SQL-editor flows. (2) A new plain-text rendering contract — SafeMessage / SafeHtmlMessage components plus Notifier.errorText / alertText / warningText / infoText / successText helpers — is introduced; around fifty callers across browser, tools, dashboard, debugger, misc, llm, preferences, schema diff, and the SQL editor that previously interpolated backend-derived strings are migrated to the plain-text variants. (3) Backend HTML-escape is applied at the post-connection-SQL handler (execute_post_connection_sql) via a new sanitize_external_text helper, so third-party JSON consumers (audit logs, API clients) never receive raw markup either; the Explain plan-info renderer is also patched to _.escape Recheck Cond and Exact Heap Blocks at construction (matching every sibling field), giving defence in depth even before DOMPurify runs. This issue affects pgAdmin 4: from 6.0 before 9.16.
来源: 美国国家漏洞数据库 NVD
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
来源: 美国国家漏洞数据库 NVD

受影响产品

厂商产品影响版本CPE订阅
pgadmin.orgpgAdmin 4 6.0 ~ 9.16 -

二、漏洞 CVE-2026-12048 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2026-12048 的情报信息

登录查看更多情报信息。

同批安全公告 · pgadmin.org · 2026-06-18 · 共 7 条

CVE-2026-120459.0 CRITICALpgAdmin 4 AI助手读写权限绕过导致远程代码执行
CVE-2026-120469.0 CRITICALpgAdmin 4 SQL编辑器远程代码执行漏洞
CVE-2026-120448.8 HIGHpgAdmin 4 注释描述注入漏洞
CVE-2026-120494.3 MEDIUMpgAdmin 4 多因素认证流程中未验证的'next'参数导致开放重定向漏洞
CVE-2026-120504.3 MEDIUMpgAdmin 4 命名还原点端点SQL注入漏洞
CVE-2026-120473.5 LOWpgAdmin 4 云端认证/部署端点HTML注入漏洞

IV. Related Vulnerabilities

V. Comments for CVE-2026-12048

暂无评论


发表评论