Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1waE67-001cTd-1K for pgadmin-hackers@arkaria.postgresql.org; Thu, 18 Jun 2026 14:52:03 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1waE66-00C0xl-1L for pgadmin-hackers@arkaria.postgresql.org; Thu, 18 Jun 2026 14:52:02 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1waE66-00C0xd-0E for pgadmin-hackers@lists.postgresql.org; Thu, 18 Jun 2026 14:52:02 +0000 Received: from mail-ed1-x52a.google.com ([2a00:1450:4864:20::52a]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1waE64-00000000zH5-0uU2 for pgadmin-hackers@postgresql.org; Thu, 18 Jun 2026 14:52:01 +0000 Received: by mail-ed1-x52a.google.com with SMTP id 4fb4d7f45d1cf-6954cb3dd95so139738a12.3 for ; Thu, 18 Jun 2026 07:51:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1781794313; cv=none; d=google.com; s=arc-20240605; b=A7x6kN0wykwd6hjIQyV8NQ7PifsK/xrVCz90pF501NNJ3kBDm4iAZaY0f5G3XNGLOw 5/njV36a218qsXx7MkCamJXO1FWgfw+CZeq8AQhFGQX24bXGpEHQdNnzaQl15Why+MRa aAe9kP/ZGoXgip/z10OXaqTETBj1cNhsb7TIJTlzA+3Xq3nZk5CTKD7i6ZfHg+kPPaVC XhPYkrVUUVQ2DZeiPsySOV42oNXTLFBa4J/35+7KScWtw2CYPs4e7OFfj8yzzSmNU03R S7e9RVfKrWgxi8iNb0T3orslh6Xbl5YorUh3WQhf/bbxszUqfuDBLRqkdSeFTc3Eo9h4 q8lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=SR8ZliDIwnlmAfwrS5m06nrHkZvjAJLTeXYDn+eVX1s=; fh=qOaitWF++R1lCKIvKXSedMJF4DXnFLncmLHRn7kEvLw=; b=IwkEJxhNew/M233sIFZu1CwzAEAng+dGiODcjy+h7JINrb+/7ndHERTDto+vFLDfbM 9/6lR9CkvA5yo1VgcgsIBHo8MXKiBmMJ0izSkj6sA2ruIfEnfSb0K4MLaNLh830S4zF9 fY0w7T6rDqwbV1zz0wZPKrQmG9+wX/PxXlFrbMPRcIdymWP4/fgsbBJHS1EsmcRk/TiK wbYWeyCo3OnHLaVNsnXHlMJGVBKqu9ulfB6TFj+uFvVs0eO15F66krO8gylr++jR2iYI Hq9naRTts4L1Y8Sar8PJS6rioCF/tdfRkm9/AVdVLobBwis4MkTr8x3xh2eKlSObKbDC fcbA==; darn=postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1781794313; x=1782399113; darn=postgresql.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=SR8ZliDIwnlmAfwrS5m06nrHkZvjAJLTeXYDn+eVX1s=; b=aDH6Prtnvi4aKMEbvj3BLIpaQLCV4Cktl11dGMYHxbuJuhYjoMPeJe5x5kwIHRkHWL umt9ehQLdKe6T+1BR74Jk75Fog6oVd4GtmYrl3O2rZ2d62XmmTqnUNiBdYDxRLYoHxrQ 9As4861xYv4gheS+yi7kfYl8wXz/Vh6gV2L3bsvn7gBMwzU3l53RzJkIqioJAmQpcRMe cFfICuzyDUZytNGGcjrA8rt7d9UmYZzinH7O3tL5EjmbMieuCbN8lSRAhkChOH7f6XLA hQP6s1K7Rioi32KjZx47o2Oe2eoLDTi8OrCiSwj19MR+mETEzqGB6MOEfoBLnlrDqZXH uLzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781794313; x=1782399113; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=SR8ZliDIwnlmAfwrS5m06nrHkZvjAJLTeXYDn+eVX1s=; b=NKNuUtxv2yQ6AUvpXMuFVJimYbB7XKYjvkQ5sIPUx1EWKaTBdHFdZc1tawFIeGWZYh mCdKzXGJgopASkAG8EqB9roR2Pi0oSBZw5p4eM1dnVCh8i/jBQ5GVelUw4Ft7nAh+WG7 9bpviIRPassPQvaGUMKRq34oFXUNK4Ep5VeT8rOWOypWm/t0IFe/au7+/Jpy9xtHtMOa s0r5+lcH3p5NSHcMHLuJlN2Br0ziR1KqAdNIrrqboW+ctObwJQ4T61HkfDgUs3d+sWNo 4MeHad5m2YjqGqb2Jeo30OB6OSf6u14Ur5t3vtNpTc0O6ZNw58R6jEyE8INApGlRDmvt 0U0g== X-Gm-Message-State: AOJu0Yy76ZZgezdttnMzFf/lMOdkMxob9Fw6mBReZE6u4Kblc3rX8OiB +B+Pzgx4aIV992y2WwRuqcnjiAwOkYyswlTnHLeD/1YB1+1zrxoOy/LmZNUGXnxsTzWmDFAWwxA +uEJWRnvlFrQr5AT02RWgwZL1r9QK0QraW80iCIjQD0yn32rUa6w0sLfm X-Gm-Gg: AfdE7cnqoXyYWNSZKKprUd+uDAYy7yWTyDYjSfpuIquLvbmrdthSk4562wKkgrcqh0G fL4se1+i+mS4+uTEK1R1+Wwf31TEUGmFQp3FZStom7O5Z7oQimbMWf8PttSwU6rApJAFjOfqAHg QjYK5OApEnlNyHlST37RBBJg/vdNPx9WGbKYH+oT/AvYTEcfmUlxtXxmRPGy5G4Zj9E5/Hx785t Vi5/oN8pnsfqOwAipODqj1ipYoIac2ZkF3cvJ2C9hGUILbi3C9iVRrCkfGjNeCZP7fSbKaVVg== X-Received: by 2002:a05:6402:518e:b0:695:ded8:e89c with SMTP id 4fb4d7f45d1cf-695ded8eda6mr751436a12.8.1781794313011; Thu, 18 Jun 2026 07:51:53 -0700 (PDT) MIME-Version: 1.0 From: Ashesh Vashi Date: Thu, 18 Jun 2026 20:21:38 +0530 X-Gm-Features: AVVi8CdhLkHZn2I4yyBjMI7b7YzC8TSs1YbtJYvLzAX_inHId9JjsteyFUKG6Ds Message-ID: Subject: pgAdmin 4 v9.16 Released To: pgadmin-hackers Content-Type: multipart/alternative; boundary="000000000000172cfb06548851a7" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000172cfb06548851a7 Content-Type: text/plain; charset="UTF-8" The pgAdmin Development Team is pleased to announce pgAdmin 4 version 9.16. This release of pgAdmin 4 includes 64 bug fixes and new features. For more details please see the release notes at: https://www.pgadmin.org/docs/pgadmin4/9.16/release_notes_9_16.html pgAdmin is the leading Open Source graphical management tool for PostgreSQL. For more information, please see: https://www.pgadmin.org/ Notable changes in this release include: *Features:* * Add an option to colourize panel and tab headers based on the connected server's colour, making it easier to tell which server a tab is connected to at a glance. * Add a "Back to login" link to the Forgot Password and Reset Password pages. * Add support for the TOAST tuple target storage parameter in the Materialized View dialog. * Make the init container security context in the Helm chart configurable via containerSecurityContext, consistent with the main container. * Add support for closing a tab with a middle-click on its title. * Allow the OAuth2 login button icon to use any Font Awesome style (e.g. fas fa-key), not only brand icons. *Bugs/Housekeeping:* * Fix SQL injection across sixteen dialog templates that rendered COMMENT ON ... IS '' and the related pgstattuple/pgstatindex stats sinks; switches the affected templates to qtLiteral and rewrites the stats calls to pass the relation OID via a ::oid::regclass cast (CVE-2026-12044). * Fix the AI Assistant read-only transaction bypass that allowed prompt-injected multi-statement payloads to commit out of the READ ONLY wrapper and execute arbitrary SQL, chaining to RCE via COPY ... TO PROGRAM on a superuser connection (CVE-2026-12045). * Fix two SQL Editor endpoints (close and update_connection) missing the @pga_login_required decorator, making them reachable without authentication in server mode and exposing a pickle deserialization sink (CVE-2026-12046). * Fix HTML injection in the cloud deployment module (RDS, Azure, Google) where SDK exception text was forwarded to the browser unsanitised and rendered through html-react-parser in the Cloud Wizard (CVE-2026-12047). * Fix critical stored cross-site scripting where PostgreSQL server error text and Explain plan-node content passed through html-react-parser across notifier toasts, form errors, modal alerts, and the Explain visualiser; under pgAdmin's default Content-Security-Policy, injected script ran same-origin to the victim's session and could exfiltrate saved server credentials and issue SQL against every connected server (CVE-2026-12048). * Fix the open redirect in the multi-factor authentication flow via an unvalidated next parameter (CVE-2026-12049). * Fix SQL injection in the named restore point endpoint where the user-supplied restore point name was interpolated into SQL via str.format() instead of being passed as a bound parameter (CVE-2026-12050). * Remove the administrator-role bypass from the server-access helpers so the access-control checks added in 9.15 (CVE-2026-7813) are enforced uniformly. The Administrator role manages pgAdmin itself, not other users' database connections. * Remove the EDB BigAnimal cloud deployment support, which was deprecated in 9.15. * Preserve jsonb number representation in the JSON editor so trailing fractional zeros and large integers are no longer rewritten when saving unmodified rows. * Fix a View/Edit Data crash when the session contains a transaction object that is not filter-capable (e.g. left by the Query Tool or persisted by an older version), which could prevent the desktop application from loading after an upgrade. * Rebase the version-specific SQL templates so the default targets PostgreSQL 14, the oldest supported server version, dropping the obsolete sub-14 template buckets. * Strip the foreign-architecture slice from the macOS bundle so single-arch builds no longer ship the universal2 Python framework's unused arm64/x86_64 code. * Bump Electron in the desktop runtime to 42.3.3 and pin the packaged Electron version, bump cryptography to 49.0 and other Python and JavaScript dependencies via the dependabot batch. * Update the Italian translation. Builds for Windows and macOS are available now, along with a Python Wheel, Docker Container, RPM, DEB Package, and source code tarball from: https://www.pgadmin.org/download/ *Deprecation Notice: pgAgent* pgAgent has been deprecated and will be discontinued. The pgAgent will be removed from the website within one month. Support for pgAgent within pgAdmin will be removed in a future release approximately six months from now. Users are encouraged to migrate to an alternative job scheduling solution before support is removed. --- Ashesh Vashi pgAdmin Project --000000000000172cfb06548851a7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
The pgAdmin Development Team is pleased to announce p= gAdmin 4 version 9.16.

This release of pgAdmin 4 includes 64 bug fix= es and new features. For more details please see the release notes at:
<= br>https://www.pgadmin.org/docs/pgadmin4/9.16/release= _notes_9_16.html

pgAdmin is the leading Open Source graphical ma= nagement tool for PostgreSQL. For more information, please see:

https://www.pgadmin.org/=

Notable changes in this release include:

Features:

* Add an option to colourize panel and tab headers based on the co= nnected server's colour, making it easier to tell which server a tab is= connected to at a glance.
* Add a "Back to login" link to the= Forgot Password and Reset Password pages.
* Add support for the TOAST t= uple target storage parameter in the Materialized View dialog.
* Make th= e init container security context in the Helm chart configurable via contai= nerSecurityContext, consistent with the main container.
* Add support fo= r closing a tab with a middle-click on its title.
* Allow the OAuth2 log= in button icon to use any Font Awesome style (e.g. fas fa-key), not only br= and icons.

Bugs/Housekeeping:

* Fix SQL injection acro= ss sixteen dialog templates that rendered COMMENT ON ... IS '<descri= ption>' and the related pgstattuple/pgstatindex stats sinks; switche= s the affected templates to qtLiteral and rewrites the stats calls to pass = the relation OID via a ::oid::regclass cast (CVE-2026-12044).
* Fix the = AI Assistant read-only transaction bypass that allowed prompt-injected mult= i-statement payloads to commit out of the READ ONLY wrapper and execute arb= itrary SQL, chaining to RCE via COPY ... TO PROGRAM on a superuser connecti= on (CVE-2026-12045).
* Fix two SQL Editor endpoints (close and update_co= nnection) missing the @pga_login_required decorator, making them reachable = without authentication in server mode and exposing a pickle deserialization= sink (CVE-2026-12046).
* Fix HTML injection in the cloud deployment mod= ule (RDS, Azure, Google) where SDK exception text was forwarded to the brow= ser unsanitised and rendered through html-react-parser in the Cloud Wizard = (CVE-2026-12047).
* Fix critical stored cross-site scripting where Postg= reSQL server error text and Explain plan-node content passed through html-r= eact-parser across notifier toasts, form errors, modal alerts, and the Expl= ain visualiser; under pgAdmin's default Content-Security-Policy, inject= ed script ran same-origin to the victim's session and could exfiltrate = saved server credentials and issue SQL against every connected server (CVE-= 2026-12048).
* Fix the open redirect in the multi-factor authentication = flow via an unvalidated next parameter (CVE-2026-12049).
* Fix SQL injec= tion in the named restore point endpoint where the user-supplied restore po= int name was interpolated into SQL via str.format() instead of being passed= as a bound parameter (CVE-2026-12050).
* Remove the administrator-role = bypass from the server-access helpers so the access-control checks added in= 9.15 (CVE-2026-7813) are enforced uniformly. The Administrator role manage= s pgAdmin itself, not other users' database connections.
* Remove th= e EDB BigAnimal cloud deployment support, which was deprecated in 9.15.
= * Preserve jsonb number representation in the JSON editor so trailing fract= ional zeros and large integers are no longer rewritten when saving unmodifi= ed rows.
* Fix a View/Edit Data crash when the session contains a transa= ction object that is not filter-capable (e.g. left by the Query Tool or per= sisted by an older version), which could prevent the desktop application fr= om loading after an upgrade.
* Rebase the version-specific SQL templates= so the default targets PostgreSQL 14, the oldest supported server version,= dropping the obsolete sub-14 template buckets.
* Strip the foreign-arch= itecture slice from the macOS bundle so single-arch builds no longer ship t= he universal2 Python framework's unused arm64/x86_64 code.
* Bump El= ectron in the desktop runtime to 42.3.3 and pin the packaged Electron versi= on, bump cryptography to 49.0 and other Python and JavaScript dependencies = via the dependabot batch.
* Update the Italian translation.

Build= s for Windows and macOS are available now, along with a Python Wheel, Docke= r Container, RPM, DEB Package, and source code tarball from:
https://www.pgadmin.or= g/download/

Deprecation Notice: pgAgent

pgAgent ha= s been deprecated and will be discontinued. The pgAgent will be removed fro= m the website within one month. Support for pgAgent within pgAdmin will be = removed in a future release approximately six months from now.
Users are= encouraged to migrate to an alternative job scheduling solution before sup= port is removed.

---
Ashesh Vashi

pgAdmin Proje= ct
--000000000000172cfb06548851a7--