This mail is sent to this mailing list because PGObject::Util::DBAdmin itself doesn't have a mailing list to send the disclosure to. We'll update its repository to reflect the announcement below.
Nick Prater discovered that the PGObject::Util::DBAdmin insufficiently
sanitizes or escapes variable values used as part of shell command
execution, resulting in shell code injection.
The vulnerability allows an attacker to execute arbitrary code with the
same privileges as the running application through the create(), run_file(),
backup() and restore() functions.
PGObject::Util::DBAdmin versions 0.110.0 and lower.
Insufficiently sanitized arguments in external program invocation
Nick Prater (NP Broadcast LTD)
Upgrade to PGObject::Util::DBAdmin 0.120.0 or newer. (0.130.0 available on CPAN).