RCE via Malicious Password Param in PostgreSQL Backup Admin
CVE-2025-59468 Published on January 8, 2026

This vulnerability allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a malicious password parameter.

NVD

Weakness Type

What is a Command Injection Vulnerability?

The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CVE-2025-59468 has been classified to as a Command Injection vulnerability or weakness.

Affected Versions

Veeam Backup and Recovery:

Version 13.0.0, <= 13.0.0 is affected.

Exploit Probability

EPSS

0.11%

Percentile

30.01%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

RCE via Malicious Password Param in PostgreSQL Backup AdminCVE-2025-59468 Published on January 8, 2026

Weakness Type

What is a Command Injection Vulnerability?

Affected Versions

Exploit Probability

RCE via Malicious Password Param in PostgreSQL Backup Admin
CVE-2025-59468 Published on January 8, 2026