CVE-2025-60796 – phpPgAdmin 7.13.0 and earlier contains multiple... (How to Fix)

Q: What is the severity of CVE-2025-60796?

CVE-2025-60796 has a CVSS score of 6.1 (MEDIUM). phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting (XSS) vulnerabilities where user input is reflected in HTML without proper encoding. Attackers can exploit these to execute arbitrary JavaScript in victims' browsers, potentially stealing credentials or hijacking sessions. Anyone running vulnerable phpPgAdmin versions is affected.

📋 TL;DR

phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting (XSS) vulnerabilities where user input is reflected in HTML without proper encoding. Attackers can exploit these to execute arbitrary JavaScript in victims' browsers, potentially stealing credentials or hijacking sessions. Anyone running vulnerable phpPgAdmin versions is affected.

💻 Affected Systems

Products:

phpPgAdmin

Versions: 7.13.0 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Phppgadmin by Phppgadmin Project

View all CVEs affecting Phppgadmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of phpPgAdmin sessions leading to database credential theft, unauthorized database access, and potential lateral movement to database servers.

🟠

Likely Case

Session hijacking of authenticated phpPgAdmin users, allowing attackers to perform unauthorized database operations or steal sensitive data.

🟢

If Mitigated

Limited impact if proper input validation, output encoding, and Content Security Policy are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (clicking malicious link) but is technically simple. Public references show vulnerable code locations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.14.0 or later

Vendor Advisory: https://github.com/phppgadmin/phppgadmin/security/advisories

Restart Required: No

Instructions:

1. Backup current phpPgAdmin installation. 2. Download latest version from official repository. 3. Replace vulnerable files with patched versions. 4. Verify functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize $_REQUEST parameters

# Add to affected PHP files before processing $_REQUEST:
# $input = htmlspecialchars($_REQUEST['param'], ENT_QUOTES, 'UTF-8');

Content Security Policy

all

Implement CSP headers to restrict script execution

# Add to Apache .htaccess or Nginx config:
# Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
# Add to PHP files:
# header("Content-Security-Policy: default-src 'self'; script-src 'self'");

🧯 If You Can't Patch

Restrict phpPgAdmin access to trusted IP addresses only
Implement web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check phpPgAdmin version in interface footer or by examining files. If version is 7.13.0 or earlier, system is vulnerable.

Check Version:

grep -r '\$version' /path/to/phppgadmin/ | head -1

Verify Fix Applied:

After patching, verify version shows 7.14.0 or later. Test by attempting XSS payloads in vulnerable parameters to confirm they are now properly encoded.

📡 Detection & Monitoring

Log Indicators:

Unusual long parameter values in access logs
JavaScript or HTML payloads in GET/POST parameters
Multiple failed login attempts followed by successful login from different IP

Network Indicators:

HTTP requests containing script tags or JavaScript in parameters
Unusual outbound connections from phpPgAdmin server

SIEM Query:

source="web_access_logs" AND (uri="*<script*" OR uri="*javascript:*" OR params="*<script*" OR params="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-60796

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (17.4th percentile)

Published: November 20, 2025

Last Updated: November 25, 2025

🔗 References

https://github.com/phppgadmin/phppgadmin/blob/master/admin.php#L35 Product
https://github.com/phppgadmin/phppgadmin/blob/master/indexes.php#L29 Product
https://github.com/phppgadmin/phppgadmin/blob/master/sequences.php#L316 Product
https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60796.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60796, you might also want to check these: