Upstream information
Description
SQL injection in pgAdmin 4 across every dialog template that renders ``COMMENT ON ... IS '<description>'`` for a user-supplied description field. The Jinja templates for Domains (and their constraints), Foreign Tables, Languages, and Event Triggers, plus the Views OID-lookup query, interpolated the description directly inside a single-quoted SQL literal -- ``'{{ data.description }}'`` -- instead of passing it through the ``qtLiteral`` escape filter. An authenticated pgAdmin user with permission to create or alter the affected object types could submit a description containing an apostrophe, break out of the literal and chain arbitrary SQL. The injected SQL runs under the PostgreSQL role the user is already authenticated as; for a connected role with ``COPY ... TO/FROM PROGRAM`` (typically PostgreSQL superuser), this chains to OS command execution on the PostgreSQL host. The defect does not cross a privilege boundary -- the user already has direct SQL access to that role through pgAdmin's Query Tool -- so the attacker gains no capability beyond what their database role already grants. The marginal impact captures bypass of any application-layer Query Tool gating an operator may have configured.The defect was originally reported against the Domain Dialog ``description`` field; a code-wide audit identified sixteen sites of the same pattern across the templates listed above. The same review also surfaced ten related sinks in the pgstattuple/pgstatindex stats templates -- ``pgstattuple('{{schema}}.{{table}}')`` and the matching pgstatindex shape -- where ``qtIdent`` escapes embedded double quotes inside the identifier but not apostrophes, so a user with CREATE privilege on a schema could plant a table or index named ``foo'bar`` and a later stats viewer would render an unbalanced literal.
Fix is layered:
1. Sites: replace every ``'{{ x.description }}'`` with ``{{ x.description|qtLiteral(conn) }}`` (no surrounding quotes -- the filter wraps the value in escaped quotes itself). Plumb ``conn=self.conn`` through every ``render_template`` call that loads one of these templates. Also corrects a ``{ % elif`` Jinja typo in the foreign-table schema diff (dead branch). Rewrite the ten pgstattuple/pgstatindex stats sites to address the relation via OID + ``::oid::regclass`` cast (e.g. ``pgstattuple({{ tid }}::oid::regclass)``), eliminating the embedded literal-call form entirely so that bug-class can no longer recur there.
2. Driver hardening: ``qtLiteral`` (in ``utils/driver/psycopg3/__init__.py``) used to silently return the raw unescaped value when its ``conn`` argument was falsy. It now raises ``ValueError`` -- surfacing the entire bug class going forward. The change immediately uncovered eight latent plumbing bugs (in ``schemas/__init__.py``, ``schemas/functions/__init__.py``, ``schemas/tables/utils.py``, ``foreign_servers/__init__.py``, and seven sites in ``roles/__init__.py``) -- all fixed as part of this patch. The inner ``except`` block that swallowed adapter-level failures and returned the raw value is also removed, so unadaptable inputs raise instead of leaking unescaped values.
3. Regression tests: a per-template behavioural test renders each previously-vulnerable template with an apostrophe-injection payload and asserts the escaped fragment is present and the vulnerable fragment absent; a lint test walks every ``*.sql`` template flagging any ``'{{ ... }}'`` single-quote-wrapped interpolation against an explicit allowlist; unit tests cover the new qtLiteral fail-fast and inner-except raise paths.
This issue affects pgAdmin 4: from 1.0 before 9.16.
SUSE information
Overall state of this security issue: Pending
This issue is currently rated as having important severity.
| CVSS detail | CNA (PostgreSQL) | SUSE |
|---|---|---|
| Base Score | 8.8 | 8.8 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network | Network |
| Attack Complexity | Low | Low |
| Privileges Required | Low | Low |
| User Interaction | None | None |
| Scope | Unchanged | Unchanged |
| Confidentiality Impact | High | High |
| Integrity Impact | High | High |
| Availability Impact | High | High |
| CVSSv3 Version | 3.1 | 3.1 |
| CVSS detail | CNA (PostgreSQL) | SUSE |
|---|---|---|
| Base Score | 8.7 | 8.7 |
| Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| Attack Vector | Network | Network |
| Attack Complexity | Low | Low |
| Attack Requirements | None | None |
| Privileges Required | Low | Low |
| User Interaction | None | None |
| Vulnerable System Confidentiality Impact | High | High |
| Vulnerable System Integrity Impact | High | High |
| Vulnerable System Availability Impact | High | High |
| Subsequent System Confidentiality Impact | None | None |
| Subsequent System Integrity Impact | None | None |
| Subsequent System Availability Impact | None | None |
| CVSSv4 Version | 4.0 | 4.0 |
Status of this issue by product and package
Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification. The updates are grouped by state of their lifecycle. SUSE product lifecycles are documented on the lifecycle page.
| Product(s) | Source package | State |
|---|---|---|
| Products under general support and receiving all security fixes. | ||
| SUSE Linux Enterprise Desktop 15 SP7 | pgadmin4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | pgadmin4 | Affected |
| SUSE Linux Enterprise Module for Python 3 15 SP7 | pgadmin4 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | pgadmin4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | pgadmin4 | Affected |
| Products under Long Term Service Pack support and receiving important and critical security fixes. | ||
| SUSE Linux Enterprise High Performance Computing 15 SP4 | pgadmin4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | pgadmin4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | pgadmin4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | pgadmin4 | Affected |
| SUSE Linux Enterprise Module for Python 3 15 SP6 | pgadmin4 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP4 | pgadmin4 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP5 | pgadmin4 | Affected |
| SUSE Linux Enterprise Server 15 SP4 | pgadmin4 | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | pgadmin4 | Affected |
| SUSE Linux Enterprise Server 15 SP5 | pgadmin4 | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | pgadmin4 | Affected |
| SUSE Linux Enterprise Server 15 SP6 | pgadmin4 | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | pgadmin4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | pgadmin4 | Affected |
| SUSE Manager Proxy 4.3 | pgadmin4 | Affected |
| SUSE Manager Proxy LTS 4.3 | pgadmin4 | Affected |
| SUSE Manager Retail Branch Server 4.3 | pgadmin4 | Affected |
| SUSE Manager Retail Branch Server LTS 4.3 | pgadmin4 | Affected |
| SUSE Manager Server 4.3 | pgadmin4 | Affected |
| SUSE Manager Server LTS 4.3 | pgadmin4 | Affected |
| Products past their end of life and not receiving proactive updates anymore. | ||
| SUSE CaaS Platform 4.0 | pgadmin4 | Affected |
| SUSE Enterprise Storage 6 | pgadmin4 | Affected |
| SUSE Enterprise Storage 7 | pgadmin4 | Affected |
| SUSE Enterprise Storage 7.1 | pgadmin4 | Affected |
| SUSE Linux Enterprise Desktop 15 SP6 | pgadmin4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1 | pgadmin4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS | pgadmin4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS | pgadmin4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | pgadmin4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | pgadmin4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | pgadmin4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | pgadmin4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | pgadmin4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | pgadmin4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | pgadmin4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | pgadmin4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | pgadmin4 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP1 | pgadmin4 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP2 | pgadmin4 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP3 | pgadmin4 | Affected |
| SUSE Linux Enterprise Real Time 15 SP2 | pgadmin4 | Affected |
| SUSE Linux Enterprise Real Time 15 SP3 | pgadmin4 | Affected |
| SUSE Linux Enterprise Real Time 15 SP4 | pgadmin4 | Affected |
| SUSE Linux Enterprise Server 15 SP1 | pgadmin4 | Affected |
| SUSE Linux Enterprise Server 15 SP1-BCL | pgadmin4 | Affected |
| SUSE Linux Enterprise Server 15 SP1-LTSS | pgadmin4 | Affected |
| SUSE Linux Enterprise Server 15 SP2 | pgadmin4 | Affected |
| SUSE Linux Enterprise Server 15 SP2-BCL | pgadmin4 | Affected |
| SUSE Linux Enterprise Server 15 SP2-LTSS | pgadmin4 | Affected |
| SUSE Linux Enterprise Server 15 SP3 | pgadmin4 | Affected |
| SUSE Linux Enterprise Server 15 SP3-BCL | pgadmin4 | Affected |
| SUSE Linux Enterprise Server 15 SP3-LTSS | pgadmin4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | pgadmin4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | pgadmin4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | pgadmin4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | pgadmin4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | pgadmin4 | Affected |
| SUSE Manager Proxy 4.0 | pgadmin4 | Affected |
| SUSE Manager Proxy 4.1 | pgadmin4 | Affected |
| SUSE Manager Proxy 4.2 | pgadmin4 | Affected |
| SUSE Manager Retail Branch Server 4.0 | pgadmin4 | Affected |
| SUSE Manager Retail Branch Server 4.1 | pgadmin4 | Affected |
| SUSE Manager Retail Branch Server 4.2 | pgadmin4 | Affected |
| SUSE Manager Server 4.0 | pgadmin4 | Affected |
| SUSE Manager Server 4.1 | pgadmin4 | Affected |
| SUSE Manager Server 4.2 | pgadmin4 | Affected |
| openSUSE Leap 15.3 | pgadmin4 | Affected |
| openSUSE Leap 15.4 | pgadmin4 | Affected |
| openSUSE Leap 15.5 | pgadmin4 | Affected |
SUSE Timeline for this CVE
CVE page created: Fri Jun 19 04:01:21 2026CVE page last modified: Fri Jun 19 13:28:43 2026