【資安漏洞預警】PostgreSQL圖形化介面工具pgAdmin存在高風險安全漏洞(CVE-2025-13780)，請儘速確認並進行修補

【行政公告】

公告單位	圖資處數位服務組
訊息類別	行政公告行政公告	公告對象	全體
公告主題	【資安漏洞預警】PostgreSQL圖形化介面工具pgAdmin存在高風險安全漏洞(CVE-2025-13780)，請儘速確認並進行修補 [Security Vulnerability Alert] The PostgreSQL graphical interface tool pgAdmin has a high-risk security vulnerability (CVE-2025-13780). Please confirm and patch it as soon as possible.
公告內容	轉發國家資安資訊分享與分析中心資安訊息警訊 NISAC-200-202601-00000012 [內容說明] 研究人員發現PostgreSQL圖形化介面工具pgAdmin存在程式碼注入(Code Injection)漏洞(CVE-2025-13780)。當系統處於伺服器模式(Server Mode)下，取得一般權限之遠端攻擊者可上傳特製惡意備份檔，後續當觸發PLAIN格式備份檔還原功能時，系統會解析特製備份檔，進而於pgAdmin主機上執行任意程式碼，請儘速確認並進行修補。 [影響平台] pgAdmin 9.10(含)以下版本 [建議措施] 更新pgAdmin至9.11(含)以上版本 [參考資料] 1. https://nvd.nist.gov/vuln/detail/CVE-2025-13780 2. https://www.endorlabs.com/learn/when-regex-isnt-enough-how-we-discovered-cve-2025-13780-in-pgadmin Forwarded from the National Cybersecurity Information Sharing and Analysis Center: Cybersecurity Alert NISAC-200-202601-00000012 [Content Description] Researchers have discovered a code injection vulnerability (CVE-2025-13780) in the PostgreSQL graphical interface tool pgAdmin. When the system is in server mode, a remote attacker with normal privileges can upload a specially crafted malicious backup file. Subsequently, when the PLAIN format backup file restoration function is triggered, the system will parse the specially crafted backup file, thereby executing arbitrary code on the pgAdmin host. Please confirm and patch this vulnerability as soon as possible. [Affected Platforms] pgAdmin versions 9.10 and below [Recommended Actions] Update pgAdmin to version 9.11 or above [References] 1. https://nvd.nist.gov/vuln/detail/CVE-2025-13780 2. https://www.endorlabs.com/learn/when-regex-isnt-enough-how-we-discovered-cve-2025-13780-in-pgadmin
相關訊息	參考資料1 參考資料2
公告時間	2026/1/6 至 2026/7/6	點閱次數	185