pgAdmin 4 v9.2 fixes CVE-2025-2945 & CVE-2025-2946

[Alan Coopersmith <alan.coopersmith () oracle com>]

https://www.pgadmin.org/docs/pgadmin4/9.2/release_notes_9_2.html
announces the release of version 9.2 of pgAdmin 4, and lists these 2
security fixes as being included:

Issue #8602 - Fixed an XSS vulnerability issue in the Query Tool and View/Edit Data (CVE-2025-2946).
Issue #8603 - Fixed a remote code execution issue in the Query Tool and Cloud Deployment (CVE-2025-2945).

https://github.com/pgadmin-org/pgadmin4/issues/8602 says:
> When a user runs a query that retrieves data containing malicious JavaScript
> payloads, PgAdmin renders the result without proper sanitization.
> This leads to the immediate execution of embedded scripts within the browser.
>
> Steps to Reproduce:
>
>  1. Open PgAdmin and connect to any database instance.
>  2. Navigate to the Query Tool.
>  3. Run the following SQL commands:
>     CREATE TABLE IF NOT EXISTS EXAMPLE (TEXT_SAMPLE VARCHAR(255));
>     -- TRUNCATE TABLE EXAMPLE;
>     INSERT INTO EXAMPLE (TEXT_SAMPLE) VALUES
>         ('<img src=a onerror=alert(Payload_here)>');
>     SELECT * FROM EXAMPLE;
>  4. After executing the SELECT statement, an alert box is triggered as the
>     JavaScript executes directly in the query result grid.
>
> Expected Behavior:
>
> Query results should display the data as plain text. Any potentially harmful
> HTML or JavaScript content should be sanitised or escaped before rendering,
> preventing script execution in the browser.

https://github.com/pgadmin-org/pgadmin4/issues/8603 says:
> Query Tool REC vulnerability POC:
>   https://github.com/pyozzi-toss/poc/raw/refs/heads/main/pgAdmin_poc.mp4
>
> Cloud Deployment with Google Provider vulnerability POC:
>   https://www.youtube.com/watch?v=V2WzCmRct7s&ab_channel=SYP

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris