CVE-2025-60798 – phpPgAdmin 7.13.0 and earlier contains a SQL in... (How to Fix)

Q: What is the severity of CVE-2025-60798?

CVE-2025-60798 has a CVSS score of 6.5 (MEDIUM). phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php that allows authenticated attackers to execute arbitrary SQL commands. This can lead to complete database compromise including data theft, modification, or deletion. Only authenticated users can exploit this vulnerability.

📋 TL;DR

phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php that allows authenticated attackers to execute arbitrary SQL commands. This can lead to complete database compromise including data theft, modification, or deletion. Only authenticated users can exploit this vulnerability.

💻 Affected Systems

Products:

phpPgAdmin

Versions: 7.13.0 and earlier

Operating Systems: All operating systems running phpPgAdmin

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authentication to exploit. Any installation with default or custom configurations that use the vulnerable display.php component is affected.

📦 What is this software?

Phppgadmin by Phppgadmin Project

View all CVEs affecting Phppgadmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, modification, deletion, privilege escalation, and potential server compromise through database functions.

🟠

Likely Case

Data exfiltration, unauthorized data modification, privilege escalation within the database, and potential denial of service.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and least privilege database accounts.

🌐 Internet-Facing: HIGH if phpPgAdmin is exposed to the internet with authenticated users, as SQL injection can be automated and lead to full database compromise.

🏢 Internal Only: MEDIUM for internal deployments, as authenticated attackers could still exploit but attack surface is reduced compared to internet-facing instances.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access. The vulnerability is in a core component and SQL injection payloads are well-documented and easily weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.14.0 or later

Vendor Advisory: https://github.com/phppgadmin/phppgadmin/security/advisories

Restart Required: No

Instructions:

1. Backup your phpPgAdmin installation and database. 2. Download the latest version from the official repository. 3. Replace the vulnerable display.php file or upgrade the entire installation. 4. Verify the fix by checking that line 396 no longer passes unsanitized user input to browseQuery.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the query parameter before processing

Edit display.php around line 396 and add: $query = filter_var($_REQUEST['query'], FILTER_SANITIZE_STRING);

Disable Display Functionality

all

Temporarily disable the vulnerable display functionality

Comment out or remove the vulnerable code section in display.php around line 396

🧯 If You Can't Patch

Implement strict input validation and parameterized queries for all user inputs
Apply network segmentation and restrict access to phpPgAdmin to only trusted users

🔍 How to Verify

Check if Vulnerable:

Check if display.php line 396 contains unsanitized $_REQUEST['query'] being passed to browseQuery function

Check Version:

grep -i 'version' /path/to/phppgadmin/conf/config.inc.php or check the web interface footer

Verify Fix Applied:

Verify that display.php line 396 now uses parameterized queries or proper input sanitization

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by complex queries
Queries containing SQL injection patterns like UNION, SELECT, DROP

Network Indicators:

Unusual traffic patterns to display.php endpoint
Requests with SQL injection payloads in query parameters

SIEM Query:

source="web_logs" AND uri="/display.php" AND (query="*UNION*" OR query="*SELECT*" OR query="*DROP*")

📊 Metadata

CVE ID: CVE-2025-60798

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

EPSS Score: 0.04% exploit probability (10.5th percentile)

Published: November 20, 2025

Last Updated: November 25, 2025

🔗 References

https://github.com/phppgadmin/phppgadmin/blob/master/display.php#L396 Product
https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60797.md Not Applicable
https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60798.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60798, you might also want to check these: