CVE-2026-7815 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: May 11, 2026
pgAdmin 4 - SQL Injection
Overview
pgAdmin 4 < 9.15 contains a SQL injection caused by direct concatenation of user-supplied JSON fields in maintenance commands, letting authenticated users with tools_maintenance permission execute arbitrary SQL and OS commands.
Severity & Score
Impact
Authenticated users with tools_maintenance permission can execute arbitrary SQL and escalate to OS command execution on the database host.
Mitigation
Upgrade to version 9.15 or later.
Social Media Activity(2 posts)
š CVE-2026-7815 - High (8.8) SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command ... š https://www.thehackerwire.com/vulnerability/CVE-2026-7815/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-7815 - High (8.8) SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command ... š https://www.thehackerwire.com/vulnerability/CVE-2026-7815/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-7815
- Severity
- High
- CVSS Score
- 8.8
- Type
- sql_injection
- Status
- new
- EPSS
- 4.6%
- Social Posts
- 2
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H