What is GHSA-6p2c-69cv-3fxq?

GHSA-6p2c-69cv-3fxq is a security advisory published by GitHub Security Advisories with Medium severity. pgAdmin 4: Stored cross-site scripting (XSS) vulnerability in Browser Tree and Explain Visualizer modules

Which CVE IDs does GHSA-6p2c-69cv-3fxq cover?

GHSA-6p2c-69cv-3fxq covers the following CVE IDs: CVE-2026-7814. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-6p2c-69cv-3fxq?

GHSA-6p2c-69cv-3fxq has a CVSS v3 base score of 4.8, published by GitHub Security Advisories.

Which products are affected by GHSA-6p2c-69cv-3fxq?

GHSA-6p2c-69cv-3fxq affects 1 product, including: pip/pgadmin4:\u003c 9.15.

GHSA-6p2c-69cv-3fxqMediumCVSS 4.8

pgAdmin 4: Stored cross-site scripting (XSS) vulnerability in Browser Tree and Explain Visualizer modules

Vendor

GitHub Security Advisories

Published

May 11, 2026

Last Modified

May 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-7814 →

📋 Description

Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules.

User-controlled PostgreSQL object names (database, schema, table, column, etc.) were assigned to DOM elements via innerHTML, allowing crafted object names containing HTML markup to execute attacker-supplied JavaScript in the browser of any pgAdmin user who navigated to or executed EXPLAIN over the malicious object.

Fix replaces innerHTML with textContent.

This issue affects pgAdmin 4: before 9.15.

🎯 Affected products1

pip/pgadmin4:< 9.15

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-7814
https://github.com/pgadmin-org/pgadmin4/issues/9865
https://github.com/pgadmin-org/pgadmin4/pull/9865
https://github.com/advisories/GHSA-6p2c-69cv-3fxq