CVE intelligence and bounded remediation
CVE-2026-12048 — Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths
Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server (ErrorResponse messages, including object names quoted back inside relation-does-not-exist errors and inside EXPLAIN Recheck Cond / Exact Heap Blocks fields) was passed verbatim through html-react-parser at every user-facing sink — the notifier toasts, FormFooterMessage / FormInput help and error areas, FormNote, ModalProvider AlertContent and confirmDelete, ToolErrorView, the Explain visualiser's NodeText panel, the SQL editor confirm dialogs, ConfirmSaveContent, PreferencesHelper modal alerts, and SelectThemes helper text. A PostgreSQL server an attacker controls — or any server returning attacker-influenced text such as a table or column name a low-privilege database user can create — could inject arbitrary HTML (including <iframe>) into the pgAdmin DOM the moment the victim's pgAdmin connected to that server or viewed an Explain plan that referenced the crafted object. The injected iframe's srcdoc could fetch attacker-served JavaScript and, by writing to parent.location, redirect the victim's top-level pgAdmin browser tab to an attacker-controlled URL.…
- Severity
- Critical
- CVSS
- 9.3 (4.0)
- Published
- 2026-06-19
- CISA KEV
- Not currently listed
- Ecosystem
- javascript/npm
- Weaknesses
- CWE-79, CWE-116
Affected products
- pgadmin / pgadmin_4
Matched remediation archetype
Cross-site scripting and unsafe browser output
This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.
Check exposure
- Trace reflected, stored, and DOM-derived untrusted values into HTML, attributes, URLs, styles, scripts, and client-side template sinks.
- Identify affected origins, authenticated user roles, sensitive browser capabilities, and where content is shared across tenants.
- Review framework escaping, rich-text sanitization, legacy templates, and client-side rendering paths.
Remediate safely
- Use context-aware framework output encoding and safe DOM APIs; keep untrusted data out of executable contexts.
- Sanitize intentionally supported markup with a maintained allowlist policy and validate URLs and attributes separately.
- Update affected rendering components and add tests for every output context using inert sentinel markup.
Authoritative sources
Complete CVE record and remediation plan
The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.