Hi team I found a XSS vulnerabillity on the latest pgAdmin4 (6.12).
Step by step
Bug is at API /browser/server/obj/7/
Object -> Register -> Server -> Connection
Fill in Hostname/address value ss"><iframe src=javascript:alert(document.domain)>
Click save, XSS fired
Anymore information, you can ask me
Thanks
khoabda