Database

In pgAdmin 4 versions 1.0 before 9.16 a high severity vulnerability CVE-2026-12044 was detected. This vulnerability allows an authenticated user to execute arbitrary SQL statements, and potentially achieve OS command execution if connected as a highly privileged role (e.g., a superuser using COPY ... TO/FROM PROGRAM). This occurs due to an SQL injection flaw across various dialog templates (such as Domains, Foreign Tables, Languages, and Event Triggers) that render COMMENT ON ... IS '<description>'. The Jinja templates interpolate user-supplied descriptions directly inside single-quoted SQL literals instead of safely passing them through the qtLiteral escape filter, allowing an attacker to break out of the literal using an apostrophe. While the injected SQL runs under the user’s existing database role and does not cross privilege boundaries, it bypasses application-layer restrictions placed on the Query Tool interface. To address this issue, users should upgrade pgAdmin 4 to version 9.16 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-12044.

In GeoServer versions prior to 2.26.4 and prior to 2.27.3 a high severity vulnerability CVE-2025-52465 was detected. This vulnerability allows an authenticated administrator to create files containing the master password in plaintext anywhere on the server’s file system. This occurs because the Master Password Dump web page fails to properly sanitize user input, allowing the submission of arbitrary absolute file paths. Installations where the web interface is disabled or removed are not affected. To address this issue, users should upgrade GeoServer to versions 2.26.4 or 2.27.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-52465.

In ChromaDB Python versions 0.4.17 or later a high severity vulnerability CVE-2026-45830 was detected. This vulnerability allows any authenticated user to arbitrarily read, write, update, or delete data in any tenant’s collection, leading to unauthorized cross-tenant data access. This occurs due to a lack of proper authorization validation across tenant boundaries, meaning users are not restricted to the tenant they actually belong to. There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-45830.

In pgAdmin 4 versions 6.0 before 9.16 a critical severity vulnerability CVE-2026-12048 was detected. This vulnerability allows an attacker to execute arbitrary JavaScript or conduct highly deceptive phishing attacks via Stored Cross-Site Scripting (XSS). This occurs because untrusted text returned by a PostgreSQL server (such as error messages or execution plan nodes) is passed directly through html-react-parser without proper sanitization. By controlling a server or creating database objects with maliciously crafted names, an attacker can inject arbitrary HTML, such as malicious <iframe> tags. These iframes can fetch attacker-served scripts and redirect the victim’s top-level browser tab. To address this issue, users should upgrade pgAdmin 4 to version 9.16 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-12048.

In MongoDB versions Versions before 8.3.3, 8.2.10, 8.0.10, 7.0.35 a medium severity vulnerability CVE-2026-9748 was detected. This vulnerability allows a user to cause a mongod server crash, leading to a Denial of Service (DoS). This occurs because the $_internalConvertBucketIndexStats stage incorrectly uses PauseExecution as a mechanism to skip documents when an index stats conversion fails on non-timeseries input. However, PauseExecution is not a general-purpose skip signal; it is an internal TeeBuffer signal used solely by the $facet stage. When $_internalConvertBucketIndexStats is placed before $facet in a pipeline, the TeeBuffer receives this unexpected signal, triggers a hard invariant assertion, and crashes the server. To address this issue, users should upgrade MongoDB to a patched version 7.0.35 and later, 8.0.24 and later, 8.2.10 and later, 8.3.3 and later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-9748.

In pgAdmin 4 versions from 1.0.0 up to, but not including, 9.16.0. a medium severity vulnerability CVE-2026-12050 was detected. This vulnerability allows an authenticated user with a connected PostgreSQL session to execute arbitrary SQL statements. This occurs due to an SQL injection flaw in the named restore point endpoint (POST /browser/server/restore_point/{gid}/{sid}), where the user-supplied value field is interpolated directly into the SQL string instead of being passed as a bound parameter. While the injected SQL executes under the user’s existing database role and does not cross privilege boundaries, it bypasses application-layer restrictions, allowing SQL execution outside of the documented Query Tool interface. To address this issue, users should upgrade pgAdmin 4 to a patched version 9.16 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-12050.

In MariaDB Server versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1 a high severity vulnerability CVE-2026-44171 was detected. This vulnerability allows an attacker to create or overwrite files outside the intended target directory. This occurs due to a path traversal flaw in the mbstream utility, which fails to check for directory traversal sequences (like /../) when unpacking an archive. While a legitimate backup never contains such paths, an attacker can provide a specially crafted archive to exploit this issue and perform arbitrary file writes. To address this issue, users should upgrade MariaDB Server to versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, or 12.3.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-44171.

In MariaDB Server versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1 a high severity vulnerability CVE-2026-48163 was detected. This vulnerability allows a malicious joiner node to execute arbitrary shell commands on the donor node. This occurs due to improper validation of parameters sent by the joiner during a State Snapshot Transfer (SST) via the rsync method, which the donor node unsafely interpolates into the command line. To address this issue, users should upgrade MariaDB Server to versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, or 12.3.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-48163.

In ChromaDB Python versions 0.5.0 or later a high severity vulnerability CVE-2026-45831 was detected. This vulnerability allows an authenticated user to perform cross-tenant actions and gain unauthorized access to isolated data. This occurs because the SimpleRBACAuthorizationProvider evaluates whether a user holds a given permission, but fails to check which tenant, database, or collection that permission actually applies to. Consequently, attackers can bypass intended access restrictions across different tenant environments. There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-45831.