CVE-2026-7816
CVE vulnerability detail — eXtreme Datacenter Security Operations
Description
OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export. User-supplied input was interpolated directly into a psql copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM cmd" to break out of the copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO /path" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable. Fix adds a parens-balance parser modeled on psqls strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks. This issue affects pgAdmin 4: before 9.15.