› 10:06:34 BSI CVE-2026-46316 Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service · › 10:06:34 BSI CVE-2026-6472 PostgreSQL: Mehrere Schwachstellen · › 10:06:33 BSI CVE-2026-25243 Redis: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Pr… · › 10:06:33 BSI CVE-2026-23234 Linux Kernel: Mehrere Schwachstellen · › 10:06:33 BSI CVE-2025-38617 Linux Kernel: Mehrere Schwachstellen · › 10:06:32 BSI CVE-2026-23412 Linux Kernel: Mehrere Schwachstellen · › 10:06:32 BSI CVE-2026-23271 Linux Kernel: Mehrere Schwachstellen · › 09:52:48 NCSC-NL CVE-2026-9735 Kwetsbaarheden verholpen in MongoDB Server · › 09:06:31 BSI CVE-2026-6653 libxml2: Schwachstelle ermöglicht Denial of Service · › 08:46:34 BSI CVE-2026-12725 dnsmasq: Schwachstelle ermöglicht Denial of Service · › 08:46:34 BSI CVE-2026-56422 MISP: Mehrere Schwachstellen · › 08:46:33 BSI CVE-2026-41523 vllm: Schwachstelle ermöglicht Codeausführung ·

Critique CCB · Belgique CVE-2026-12048

Remote Code Execution and Cross-Site Scripting in pgAdmin 4 Can Be Ex…

Publié 22 juin 2026 à 15:02

Description

CVE-2026-12048 is a stored cross-site scripting vulnerability where PostgreSQL server error text and Explain plan-node content were passed unsanitized through html-react-parser across multiple UI components, including notifier toasts, form errors, modal alerts, and the Explain visualiser. Because pgAdmin's default Content-Security-Policy allows inline scripts, injected JavaScript runs same-origin to the victim's authenticated session and can read every saved server connection credential and issue arbitrary SQL against every server the victim is connected to. CVE-2026-12046 affects two SQL Editor endpoints (close and update_connection) that were missing the authentication decorator (@pga_login_required) in server mode. This made the endpoints reachable by unauthenticated attackers and expos