Cyber Resilience

CVE-2026-7815

High

Published: 11 May 2026

Published
11 May 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0046 36.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7815 is a high-severity SQL Injection (CWE-89) vulnerability in Pgadmin Pgadmin 4. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of…

more

the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host. Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter. This issue affects pgAdmin 4: before 9.15.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

SQL injection in pgAdmin web interface (public-facing PostgreSQL admin tool) directly enables arbitrary SQL execution on backend DB and OS command execution via COPY ... TO PROGRAM, mapping to exploitation of public-facing app and Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7816Same product: Pgadmin Pgadmin 4
CVE-2026-7813Same product: Pgadmin Pgadmin 4
CVE-2025-12762Same product: Pgadmin Pgadmin 4
CVE-2025-13780Same product: Pgadmin Pgadmin 4
CVE-2026-1707Same product: Pgadmin Pgadmin 4
CVE-2026-7819Same product: Pgadmin Pgadmin 4
CVE-2025-25112Shared CWE-89
CVE-2026-44861Shared CWE-89
CVE-2025-54153Shared CWE-89
CVE-2026-32698Shared CWE-89

Affected Assets

pgadmin
pgadmin 4
7.6 — 9.15

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References