CVE-2026-12046 / CVE-2026-12045 / CVE-2026-12048 — pgAdmin 4: unauthenticated pickle deserialization RCE, AI-Assistant read-only-transaction bypass, stored XSS

pgAdmin 4 v9.16 (2026-06-18) patches seven CVEs across v6.0–9.15 in the project's own coordinated-disclosure release notes (pgAdmin, 2026-06-18). CVE-2026-12046 (CVSS v4 9.5): two SQL-Editor endpoints (DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/...) are missing the @pga_login_required decorator in server mode, making them reachable unauthenticated; both reach a pickle.loads() sink on session gridData[trans_id]['command_obj']. Full RCE additionally requires knowledge of the Flask SECRET_KEY and write access to the session store — preconditions that can exist on shared hosting or after partial compromise. CVE-2026-12045 (CVSS v4 9.4): the AI Assistant wraps LLM-generated SQL in BEGIN TRANSACTION READ ONLY, but a COMMIT/ROLLBACK-prefixed multi-statement payload escapes the read-only guard, enabling DML and — on a superuser role via COPY ... TO PROGRAM — OS command execution, delivered through prompt injection into any database object the Assistant reads. CVE-2026-12048 (CVSS v4 9.3): stored XSS via unsanitised PostgreSQL error text and EXPLAIN-plan content rendered through html-react-parser. The pgAdmin release notes do not publish CVSS scores; the CVSS v4 figures here are ENISA EUVD's (EUVD-2026-37966 = 9.5, EUVD-2026-37965 = 9.4, EUVD-2026-37968 = 9.3) (ENISA EUVD, 2026-06-18). No exploitation reported.