Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules).
The vulnerability is associated with the 2 POST endpoints; /sqleditor/querytool/download, where the querycommited parameter and /cloud/deploy endpoint, where the high_availability parameter is unsafely passed to the Python eval() function, allowing arbitrary code execution.
This issue affects pgAdmin 4: before 9.2.
{ "nvd_published_at": "2025-04-03T13:15:43Z", "cwe_ids": [ "CWE-94" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-04-04T14:23:31Z" }