CVE-2025-60796

CVE Database · CVE-2025-60796

CVE-2025-60796

· MEDIUMAnalyzed

CVSS v3.1

6.1

EPSS

0.19%

Published

Nov 20, 2025

Modified

Nov 25, 2025

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting (XSS) vulnerabilities across various components. User-supplied input from $_REQUEST parameters is reflected in HTML output without proper encoding or sanitization in multiple locations including sequences.php, indexes.php, admin.php, and other unspecified files. An attacker can exploit these vulnerabilities to execute arbitrary JavaScript in victims' browsers, potentially leading to session hijacking, credential theft, or other malicious actions.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weaknesses (CWE)

CWE-79

Affected Products (1)

phppgadmin_project · phppgadminvulnerable

References (4)

https://github.com/phppgadmin/phppgadmin/blob/master/admin.php#L35

Product

https://github.com/phppgadmin/phppgadmin/blob/master/indexes.php#L29

Product

https://github.com/phppgadmin/phppgadmin/blob/master/sequences.php#L316

Product

https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60796.md

Third Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs