{"id":"CVE-2025-60798","details":"phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The application passes user-controlled input from $_REQUEST['query'] directly to the browseQuery function without proper sanitization. An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands through malicious query manipulation, potentially leading to complete database compromise.","aliases":["GHSA-g6xh-wrpf-v6j6"],"modified":"2026-04-02T12:57:27.329450Z","published":"2025-11-20T15:17:38.393Z","references":[{"type":"WEB","url":"https://github.com/phppgadmin/phppgadmin/blob/master/display.php#L396"},{"type":"ADVISORY","url":"https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60798.md"},{"type":"ADVISORY","url":"https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60797.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/phppgadmin/phppgadmin","events":[{"introduced":"0"},{"last_affected":"13f3f821e6891ae2093e6b66ce190353624886ce"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"7.13.0"}]}}],"versions":["REL_0-5-0","REL_0-6-0","REL_0-6-5","REL_3-0-0-DEV-1","REL_3-0-0-DEV-2","REL_3-0-0-DEV-3","REL_3-0-0-DEV-4","REL_3-0-1","REL_3-0-BETA-1","REL_3-0-RC-1","REL_3-0-RC-2","REL_3-1-BETA-1","REL_3-1-RC-1","REL_3-2-1","REL_3-3-1","REL_3-4-1","REL_3-5-1","REL_3-5-2","REL_3-5-3","REL_3-5-4","REL_3-5-5","REL_3-5-6","REL_4-0-1","REL_4-1-1","REL_4-1-2","REL_4-1-3","REL_4-1-3-RC-1","REL_4-1-BETA-1","REL_4-2-1","REL_4-2-2","REL_4-2-3","REL_4-2-BETA-1","REL_4-2-BETA-2","REL_5-0-0","REL_5-0-1","REL_5-0-2","REL_5-0-3","REL_5-0-4","REL_5-0-BETA-1","REL_5-0-BETA-2","REL_5-1-0","REL_5-6-0","REL_7-12-0","REL_7-12-1","REL_7-13-0","r1","start"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-60798.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}