HTML injection in pgAdmin 4's cloud deployment module. The verify_credentials, deploy, regions, and update-server endpoints under /rds/, /azure/, /google/, and the top-level /cloud/ blueprint propagated AWS / Azure / Google SDK exception text — and the related file-resolution and database-commit exception text — into the JSON response body (the info and errormsg fields) without HTML-encoding. The Cloud Wizard frontend rendered these strings through html-react-parser, so an attacker-influenced exception message embedded structural HTML directly into the wizard's DOM. The reported entry point is /rds/verify_credentials/. An authenticated pgAdmin user submits a crafted access_key whose value contains an <iframe/src=...> payload; AWS STS rejects the credential with an IncompleteSignature exception whose text quotes the access_key verbatim; the pgAdmin backend forwards that text into the JSON info field; the Cloud Wizard's FormFooterMessage parses it as HTML. The browser fetches the iframe's src from an attacker-controlled host, and JavaScript executing inside the cross-origin iframe writes to parent.location, redirecting the victim's pgAdmin tab. Because the injection renders inside pgAdmin's own interface, X-Frame-Options and Content-Security-Policy frame-ancestors do not mitigate it. Baseline impact is self-targeted (the same user who supplied the payload sees the injection); escalation against other authenticated users requires an additional cross-site request-forgery primitive capable of submitting the malformed credential request with a valid X-pgA-CSRFToken in the victim's browser context. The same unsanitised-error-into-JSON pattern was present across multiple sibling endpoints — Azure's check_cluster_name_availability, every Google endpoint that surfaces SDK errors (verification_ack, projects, regions, instance_types, database_versions, the verify_credentials path-resolution branches), the central /deploy endpoint that bubbles str(e) from deploy_on_rds / deploy_on_azure / deploy_on_google, and update_cloud_server which surfaces the str(e) from a failing db.session.commit — all of which are now covered. Fix HTML-escapes every external/SDK exception string at the endpoint sink via a new shared sanitize_external_text helper (HTML escape with control-character strip), promoted out of the psycopg3 driver into web/pgadmin/utils/text_sanitize.py. The Cloud Wizard frontend additionally renders its FormFooterMessage in plain-text mode for backend-derived strings, so the value is never parsed as HTML even if a future sink forgets the escape. This issue affects pgAdmin 4: from 6.6 before 9.16.

• https://github.com/pgadmin-org/pgadmin4/commit/60d149864b5fdd99675754c7996637737a24fce3
• https://github.com/pgadmin-org/pgadmin4/issues/10069

• Pgadmin » Pgadmin 4 » Version: 6.10
  cpe:2.3:a:pgadmin:pgadmin_4:6.10
• Pgadmin » Pgadmin 4 » Version: 6.11
  cpe:2.3:a:pgadmin:pgadmin_4:6.11
• Pgadmin » Pgadmin 4 » Version: 6.12
  cpe:2.3:a:pgadmin:pgadmin_4:6.12
• Pgadmin » Pgadmin 4 » Version: 6.13
  cpe:2.3:a:pgadmin:pgadmin_4:6.13
• Pgadmin » Pgadmin 4 » Version: 6.14
  cpe:2.3:a:pgadmin:pgadmin_4:6.14
• Pgadmin » Pgadmin 4 » Version: 6.15
  cpe:2.3:a:pgadmin:pgadmin_4:6.15
• Pgadmin » Pgadmin 4 » Version: 6.16
  cpe:2.3:a:pgadmin:pgadmin_4:6.16
• Pgadmin » Pgadmin 4 » Version: 6.17
  cpe:2.3:a:pgadmin:pgadmin_4:6.17
• Pgadmin » Pgadmin 4 » Version: 6.18
  cpe:2.3:a:pgadmin:pgadmin_4:6.18
• Pgadmin » Pgadmin 4 » Version: 6.19
  cpe:2.3:a:pgadmin:pgadmin_4:6.19
• Pgadmin » Pgadmin 4 » Version: 6.20
  cpe:2.3:a:pgadmin:pgadmin_4:6.20
• Pgadmin » Pgadmin 4 » Version: 6.21
  cpe:2.3:a:pgadmin:pgadmin_4:6.21
• Pgadmin » Pgadmin 4 » Version: 6.6
  cpe:2.3:a:pgadmin:pgadmin_4:6.6
• Pgadmin » Pgadmin 4 » Version: 6.7
  cpe:2.3:a:pgadmin:pgadmin_4:6.7
• Pgadmin » Pgadmin 4 » Version: 6.8
  cpe:2.3:a:pgadmin:pgadmin_4:6.8
• Pgadmin » Pgadmin 4 » Version: 6.9
  cpe:2.3:a:pgadmin:pgadmin_4:6.9
• Pgadmin » Pgadmin 4 » Version: 7.0
  cpe:2.3:a:pgadmin:pgadmin_4:7.0
• Pgadmin » Pgadmin 4 » Version: 7.1
  cpe:2.3:a:pgadmin:pgadmin_4:7.1
• Pgadmin » Pgadmin 4 » Version: 7.2
  cpe:2.3:a:pgadmin:pgadmin_4:7.2
• Pgadmin » Pgadmin 4 » Version: 7.3
  cpe:2.3:a:pgadmin:pgadmin_4:7.3
• Pgadmin » Pgadmin 4 » Version: 7.4
  cpe:2.3:a:pgadmin:pgadmin_4:7.4
• Pgadmin » Pgadmin 4 » Version: 7.5
  cpe:2.3:a:pgadmin:pgadmin_4:7.5
• Pgadmin » Pgadmin 4 » Version: 7.6
  cpe:2.3:a:pgadmin:pgadmin_4:7.6
• Pgadmin » Pgadmin 4 » Version: 7.7
  cpe:2.3:a:pgadmin:pgadmin_4:7.7
• Pgadmin » Pgadmin 4 » Version: 7.8
  cpe:2.3:a:pgadmin:pgadmin_4:7.8
• Pgadmin » Pgadmin 4 » Version: 8.0
  cpe:2.3:a:pgadmin:pgadmin_4:8.0
• Pgadmin » Pgadmin 4 » Version: 8.1
  cpe:2.3:a:pgadmin:pgadmin_4:8.1
• Pgadmin » Pgadmin 4 » Version: 8.10
  cpe:2.3:a:pgadmin:pgadmin_4:8.10
• Pgadmin » Pgadmin 4 » Version: 8.11
  cpe:2.3:a:pgadmin:pgadmin_4:8.11
• Pgadmin » Pgadmin 4 » Version: 8.12
  cpe:2.3:a:pgadmin:pgadmin_4:8.12
• Pgadmin » Pgadmin 4 » Version: 8.13
  cpe:2.3:a:pgadmin:pgadmin_4:8.13
• Pgadmin » Pgadmin 4 » Version: 8.14
  cpe:2.3:a:pgadmin:pgadmin_4:8.14
• Pgadmin » Pgadmin 4 » Version: 8.2
  cpe:2.3:a:pgadmin:pgadmin_4:8.2
• Pgadmin » Pgadmin 4 » Version: 8.3
  cpe:2.3:a:pgadmin:pgadmin_4:8.3
• Pgadmin » Pgadmin 4 » Version: 8.4
  cpe:2.3:a:pgadmin:pgadmin_4:8.4
• Pgadmin » Pgadmin 4 » Version: 8.5
  cpe:2.3:a:pgadmin:pgadmin_4:8.5
• Pgadmin » Pgadmin 4 » Version: 8.6
  cpe:2.3:a:pgadmin:pgadmin_4:8.6
• Pgadmin » Pgadmin 4 » Version: 8.7
  cpe:2.3:a:pgadmin:pgadmin_4:8.7
• Pgadmin » Pgadmin 4 » Version: 8.8
  cpe:2.3:a:pgadmin:pgadmin_4:8.8
• Pgadmin » Pgadmin 4 » Version: 8.9
  cpe:2.3:a:pgadmin:pgadmin_4:8.9
• Pgadmin » Pgadmin 4 » Version: 9.0
  cpe:2.3:a:pgadmin:pgadmin_4:9.0
• Pgadmin » Pgadmin 4 » Version: 9.1
  cpe:2.3:a:pgadmin:pgadmin_4:9.1
• Pgadmin » Pgadmin 4 » Version: 9.10
  cpe:2.3:a:pgadmin:pgadmin_4:9.10
• Pgadmin » Pgadmin 4 » Version: 9.2
  cpe:2.3:a:pgadmin:pgadmin_4:9.2
• Pgadmin » Pgadmin 4 » Version: 9.3
  cpe:2.3:a:pgadmin:pgadmin_4:9.3
• Pgadmin » Pgadmin 4 » Version: 9.4
  cpe:2.3:a:pgadmin:pgadmin_4:9.4
• Pgadmin » Pgadmin 4 » Version: 9.5
  cpe:2.3:a:pgadmin:pgadmin_4:9.5
• Pgadmin » Pgadmin 4 » Version: 9.6
  cpe:2.3:a:pgadmin:pgadmin_4:9.6
• Pgadmin » Pgadmin 4 » Version: 9.7
  cpe:2.3:a:pgadmin:pgadmin_4:9.7
• Pgadmin » Pgadmin 4 » Version: 9.8
  cpe:2.3:a:pgadmin:pgadmin_4:9.8
• Pgadmin » Pgadmin 4 » Version: 9.9
  cpe:2.3:a:pgadmin:pgadmin_4:9.9