SCA: security update for pgadmin4 (GHSA-hp84-p2gq-6fvr)

high Tenable Self-Hosted Container Security Plugin ID 442103

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields
(buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly
into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with
the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the
connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to
operating-system command execution on the database host. Fix introduces server-side allow-listing of all
four fields and switches reindex_tablespace from manual quoting to the qtIdent filter. This issue affects
pgAdmin 4: before 9.15. (CVE-2026-7815)

Solution

Update the pgadmin4 library and its related packages to version 9.15 or later.

See Also

https://github.com/advisories/GHSA-hp84-p2gq-6fvr

Plugin Details

Severity: High

ID: 442103

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 5/18/2026

Updated: 6/8/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.85

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-7815

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 6.3

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/11/2026

Vulnerability Publication Date: 5/11/2026

Reference Information

CVE: CVE-2026-7815

cwe: CWE-89