Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wMRZF-0005w8-2b for pgadmin-hackers@arkaria.postgresql.org; Mon, 11 May 2026 14:25:09 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wMRZE-0015wz-1W for pgadmin-hackers@arkaria.postgresql.org; Mon, 11 May 2026 14:25:08 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wMRYh-00104c-2t for pgadmin-hackers@lists.postgresql.org; Mon, 11 May 2026 14:24:36 +0000 Received: from mail-ed1-x536.google.com ([2a00:1450:4864:20::536]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wMRYf-000000003bM-1XWI for pgadmin-hackers@postgresql.org; Mon, 11 May 2026 14:24:35 +0000 Received: by mail-ed1-x536.google.com with SMTP id 4fb4d7f45d1cf-65f7fa63fb6so579015a12.1 for ; Mon, 11 May 2026 07:24:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1778509471; cv=none; d=google.com; s=arc-20240605; b=NBYJH3kd7CnRKZxFGA2BjMWOTwgjviHscTNSId5K38y6LCsSiNndTBb/JKV/cFd5PD 3R6JScj/Vrvnj5xTteRTQG+lupNCEfMJXfBQMZbSiZn6wfxJ3dRuDL/cOqyYAgpbk5HE knkUMMQiDj6QUrWhqsFS84KaRM6MJI+XJQsxF7JOP+X8OOoM/EYxIUthXvXxwiJ1y7l4 82kYxlnzfnLKGzZA5P/AGzltFZHHAeCfJ6IuHRyP4S55Oj2n0R+hbUkxonUnnMQy4kLT MrWIv0thpWCaUuixBBawOO3qDIC6od3XjfYgWfSA+IlLGIvsWsehTiGUm5+HEB/qLgPH cpBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=mRblxhCgPDof+tAlNQDUmvnYrXrXPljcm2VUCHaY9HQ=; fh=qOaitWF++R1lCKIvKXSedMJF4DXnFLncmLHRn7kEvLw=; b=byM/olyNpqrAAXnFCPUd/nE/uIkeaOGthmKHAXjBpsKmC9uTlT55qllDOYwiripe2f +CZl3jJVdwAzpV2Aw80g2bE0bwhN8K+HqwxW9+vl/Xkh4IXKWbYqxX4EqHU6UcviBxy3 w5oySHp+DnFqihiGDgW1E8Xq+ZAdln+5uXhMo2o+shQzuod9rOgI0NwDjHM/Fv3kRXPO Le2rY9SeO3rdHWFkQ6T61gWlYvEYLKqxkJ7ZMteEB3w9u8hMlgME6GsLGvzSXLzL+jgD lG03qKsaO62tDm1AzjSFzFXqxHhCUVcqPw4E9dZQulZh74iIXP0OHvi9AmoiQVPzq/UX jHpA==; darn=postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1778509471; x=1779114271; darn=postgresql.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=mRblxhCgPDof+tAlNQDUmvnYrXrXPljcm2VUCHaY9HQ=; b=jcaZdnq5GCH1qU6bEnDoGwCuPtuPiQkGQgPybVpTuIOLakqnLtp5KlXBWZ7aRkGOl8 1si0vqHBMRGevFaV+0UBBUnYZBCNnfWBIdq7ZEWsG+NPBRYiY8sqMg+fW+yZGlitR0d/ vg/yljEw7/2EHPtz7vEDA4XLDn5QOQ8bQ7jYsTNUkUtCnI6e01aFpUejJqJ9xsf8xtpd +TQY/yFYysgSi1pvpcRjrEBZIO5LPvku6M+0Mi43NWrR5dj8j0Rzhjkq4RvHV/pWUaCe sUVJi2YRJURgNH5ssxFOUCwb6xZo25i6hVXni3ShfM57AzzU8/fc8CWS6hVcbAFcDKp1 rLNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778509471; x=1779114271; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mRblxhCgPDof+tAlNQDUmvnYrXrXPljcm2VUCHaY9HQ=; b=eL0cnFQE8evdHJEKgLFVTnUOIhnwAt3qlwUjcu7tzADHOHrsZN5LJKmrQldp8oOOm6 JL1A7RlxL6rWg1UiYIxvXJOHCRlaNBgzrLp8NZLNFG2FMMYip3WPRLtXKC+sDe5+BnZ8 AbXCyVJ3FEBlyXD20HYZa374D3jvdnZEujM17W+JzQkcwqA47kVrZAFXOnAv+a+LNQRJ WPzkdcwi1OsLcbuL8obZThNBqHp5CByXRZgVj1mNPFbQlEL/nturd0IRjg0t3zqOzpdv tYMcIoK1SAxspPBAWtWSd+4FWuCiHmXY5b7jXKyp2heywQLflxiKoyyeOtWIvHuryLT2 TiRQ== X-Gm-Message-State: AOJu0YycF8n71n5+yWAtfgsb+3x/6wJbNb5xTzGwpBd8WEH1Dg0W9dgA k1DliI+9F/2BJ/clHL2G+4ZZ1jCxhj6By4CEPo8ts1S2loNs3yI2kDIDmW9/WiZwv0Tfuc4SCa9 09BQZpnUwwBT7Pza8yMwsb8LPL/PGDfz96Jf2FVokDhmCmH6BUB4awsIk X-Gm-Gg: Acq92OFXDxHVv6eoDOoBtgJhmkKfU40DOvWRSfJ/vE8sW+KdGn0GvOoUQERqXrFe7pO FIKTM7W1gPSC7mStScvKOLNUBGW8J6vNWnUHa3/jJSurd2suqLTU0d78qZYiYHAvw9aWO0ep2vL xNFQoJnvvQKVzMUbH5iBZoHfQwF3gTF2Sn68nxAQrmphIppaaEvdOswnUAcV9tJ1UnDWGRIWsSz eYJQvrWoR4qg6ioBU1udXymY2KChrNBJ7mNA4+TIT/1hLdLeNRsDyGBMxyQeRyoHzMlZjGdYk+Y IxnG7Se0zE89XVGSYDlY X-Received: by 2002:a05:6402:278c:b0:67c:a9ca:f293 with SMTP id 4fb4d7f45d1cf-67d646af5b2mr4989279a12.6.1778509471175; Mon, 11 May 2026 07:24:31 -0700 (PDT) MIME-Version: 1.0 From: Ashesh Vashi Date: Mon, 11 May 2026 19:54:19 +0530 X-Gm-Features: AVHnY4J0HCW-bMDuVQyTbOaCoOx0WSFC56seiCJ4uTLw17gnJDm4ixxpr2FxXVs Message-ID: Subject: pgAdmin 4 v9.15 Released To: pgadmin-hackers Content-Type: multipart/alternative; boundary="000000000000426f6f06518b8178" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000426f6f06518b8178 Content-Type: text/plain; charset="UTF-8" The pgAdmin Development Team is pleased to announce pgAdmin 4 version 9.15. This release of pgAdmin 4 includes 19 bug fixes and new features. For more details please see the release notes at: https://www.pgadmin.org/docs/pgadmin4/9.15/release_notes_9_15.html pgAdmin is the leading Open Source graphical management tool for PostgreSQL. For more information, please see: https://www.pgadmin.org/ Notable changes in this release include: *Features:* - Allow the Docker container image to run as a non-default user via the PUID and PGID environment variables. *Bugs/Housekeeping:* - Fix cross-user data access and shared-server privilege escalation in server mode (CVE-2026-7813). - Tighten Shared Server feature parity, owner-only field handling, and write guards as a follow-up to the data-isolation hardening. - Fix stored cross-site scripting (XSS) via crafted PostgreSQL object names rendered in the Browser Tree and Explain Visualizer (CVE-2026-7814). - Fix SQL injection in the Maintenance tool option values (CVE-2026-7815). - Fix OS command injection in Import/Export query export (CVE-2026-7816). - Fix local-file inclusion and server-side request forgery in the LLM API configuration endpoints (CVE-2026-7817). - Fix unsafe deserialization in the session manager that could lead to remote code execution (CVE-2026-7818). This change also encrypts session files at rest using Fernet, restricts session-file and DATA_DIR permissions to 0o600, switches the session-digest default from SHA-1 to SHA-256, and drops several non-roundtrippable live objects from the session. - Fix symlink-based path traversal in the file manager (CVE-2026-7819). - Fix account-lockout bypass on Flask-Security's default /login view so the locked field is honored on every authentication path (CVE-2026-7820). - Use absolute paths for a2enmod and a2enconf in the Debian setup script so it works when /usr/sbin is not on PATH. - Bump Python and JavaScript runtime/development dependencies, and upgrade ESLint to v10. - Update the Czech, Italian, Russian, Spanish, and Swedish translations. *Deprecations:* - The BigAnimal cloud deployment integration is deprecated and will be removed in the next version of pgAdmin 4. Builds for Windows and macOS are available now, along with a Python Wheel, Docker Container, RPM, DEB Package, and source code tarball from: https://www.pgadmin.org/download/ --- Ashesh Vashi pgAdmin Project --000000000000426f6f06518b8178 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

The pgAdmin Development Team is pleased to announce pgA= dmin 4 version 9.15.

This release of pgAdmin 4 includes 19 bug fixes and new features. For mo= re details please see the release notes at:

https://www.pgadmin.org/docs/pgadmin4/9.15/release= _notes_9_15.html

pgAdmin is the leading Open Source graphical management tool for Postgre= SQL. For more information, please see:

https://www.pgadm= in.org/

Notable changes in this release include:

Features:

  • Allow the Docker container image to run as a non-default user via the P= UID and PGID environment variables.

Bugs/Housekeeping:

  • Fix cross-user data access and shared-server privilege escalation in se= rver mode (CVE-2026-7813).
  • Tighten Shared Server feature parity, owner-only field handling, and wr= ite guards as a follow-up to the data-isolation hardening.
  • Fix stored cross-site scripting (XSS) via crafted PostgreSQL object nam= es rendered in the Browser Tree and Explain Visualizer (CVE-2026-7814).
  • Fix SQL injection in the Maintenance tool option values (CVE-2026-7815)= .
  • Fix OS command injection in Import/Export query export (CVE-2026-7816).=
  • Fix local-file inclusion and server-side request forgery in the LLM API= configuration endpoints (CVE-2026-7817).
  • Fix unsafe deserialization in the session manager that could lead to re= mote code execution (CVE-2026-7818). This change also encrypts session file= s at rest using Fernet, restricts session-file and DATA_DIR permissions to = 0o600, switches the session-digest default from SHA-1 to SHA-256, and drops= several non-roundtrippable live objects from the session.
  • Fix symlink-based path traversal in the file manager (CVE-2026-7819).
  • Fix account-lockout bypass on Flask-Security's default /login view = so the locked field is honored on every authentication path (CVE-2026-7820)= .
  • Use absolute paths for a2enmod and a2enconf in the Debian setup script = so it works when /usr/sbin is not on PATH.
  • Bump Python and JavaScript runtime/development dependencies, and upgrad= e ESLint to v10.
  • Update the Czech, Italian, Russian, Spanish, and Swedish translations.<= /li>

Deprecations:

  • The BigAnimal cloud deployment = integration is deprecated and will be removed in the next version of pgAdmi= n 4.

Builds for Windows and macOS are available now, along with= a Python Wheel, Docker Container, RPM, DEB Package, and source code tarbal= l from:

https://= www.pgadmin.org/download/

---

Ashesh Vashi
pgAdmin Project

--000000000000426f6f06518b8178--