Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wMRZF-0005wA-2h for pgadmin-support@arkaria.postgresql.org; Mon, 11 May 2026 14:25:09 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wMRZE-0015x0-1W for pgadmin-support@arkaria.postgresql.org; Mon, 11 May 2026 14:25:08 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wMRYm-001170-0a for pgadmin-support@lists.postgresql.org; Mon, 11 May 2026 14:24:40 +0000 Received: from mail-ed1-x531.google.com ([2a00:1450:4864:20::531]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wMRYj-000000003bs-2kzW for pgadmin-support@postgresql.org; Mon, 11 May 2026 14:24:39 +0000 Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-67b6edfa1f4so407852a12.0 for ; Mon, 11 May 2026 07:24:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1778509476; cv=none; d=google.com; s=arc-20240605; b=MpsdqrO1JEIX0EnwOk7W9ZwQeA7qQIgOJFHfN2vFJcXCpP0WI/n5hbRANhxNDhxqKg 2+g7tewKuCiSjMS70z9fJamNzWXb1rKu+RXlJY8F0RDwcaeudq7h8qQDjAg51tCfehw/ AhIElmyHBb4g3qRSNGdVtbqKmBc3iOc/25+kOpXDkTJydc23V6B4LWdQrL29VzBurufM 4O+qKzREA1FJQqUKKDPMdXNG6q0IC08+O04W6avVY3icF5KrggiLg+j6UakthdxNsTR0 GOG1qgJCIjiDqaYb1VMHLHmd1/hF6LhwMVzwwcaMfQP5vvPBArdOU8qMIB3C4pa0kqcY h8ng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=IibKaxVv9GDkrK/kPrt1GCWXvPmu310Nvkbqu+ouBJ4=; fh=j2HZrm8GWz7HV+mqOt4nOcwwB2+3bvIqVRDp9hEZt1Q=; b=Tj0tKXhFlOKQPkddRXO2wVCSNUQyLFz+TQ8Lp6V7c2QS1Y4wx9s+cEGUZo/8e4CSGw 8nkGE1Z60AEo/Y/9INzzNB+1HISQNE6VJbDwDyPVN3/4JpMJPjqylDnhiQpH0uLVHlyK i55JYxYvbCdYADW695q8jg1RYACwKc5s3HG9w7iRDbTU9k2srbm6wP3d2NloBusH7wYO Z8v6qXJ7dacTbsXtxwp9ZaTM1CtzjC9kIFEf5JfrA/xc1J1+9+OX4KWVm7woLPfncVk9 natS7xzoR9frJRbyNQz3y03k8wy4aMMTg6fLNzcmmSwNnFqVsevDxV/GRPxMk9glOHQ+ 2ZdA==; darn=postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1778509476; x=1779114276; darn=postgresql.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=IibKaxVv9GDkrK/kPrt1GCWXvPmu310Nvkbqu+ouBJ4=; b=NGzWpZ65hwzJKy/6MHYskV8w4/Tb13CwzSz2P5H+pXbE1sFI7so0U4jTPQ00dqWH4I VpHSyDknO9Fpe7KzRpmWXpNJK91LyhovDGVx0cdEpz98gUwfDL1Clt72p45yRhrmoEge 4Bi/T9zlTO6W1XJ7fMeP9/WyfqRAHBCMsJ7MKLd4F0CLWcFjHvv9RtorKbgkN3+2zchj 0wXr+pj8gZLk7hazgmD3J+/1plkIDWMN0b4M70QDvysynRPTdRQ3i0QaQYE3opPRxK7a vOLi1sZ2Jmh/U2AAERLFFRD7YQ3D2qVLFUFDlHjVFrjLv8VScZW4c4bBZpmg78ZHeY81 zrGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778509476; x=1779114276; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=IibKaxVv9GDkrK/kPrt1GCWXvPmu310Nvkbqu+ouBJ4=; b=IDItfio/5qgjaTARHr0Zwg9a1B2rrUQTDBWl6AnHugLo8HO1KxB+KxkT90k8XeRozj EZrgmRKQLfWrXn2a0Ntzw1gZpW7A573vvk4hNgnYoj4CGoad5/19udy7OPnIY5Qqa58P 2Yj5SwzO0tecqnxCbWKkfQFikrZlACjFEN7jnvzBsD9vK2tm3B6gxhJ0ZEexNst3QSZy Xsbb7ZGIVEegPmOmbTAyF7ML3Cyjx41YM0dCo1a2Zfp4obsKNt9KwPe1Osctg96G0cl/ eE5g0vEXApBPviY7myg+QjAxiIq1eXumLP//b1JZIe0KLprRObL7eKsxZQDCHIqshfkQ k9OQ== X-Gm-Message-State: AOJu0YxaB3C2qaWDHxEyxNOAp0ELStE/fL870Mh7hVOjsiYvtIOM9l1r mUy47WOpK+e19IcWGD7Y6yPcu5CyRxCUMaSZ/edZ1zvz6mOFTaZhnQ4d8R6FmXzeyURBgh9QUQp JC8QW+RTyiTicY75MopY2ZQLOWyYVrMS0abGEaP9roXmFi+xmxsCOvztT X-Gm-Gg: Acq92OFKSsbcHEXxWU5d1+rlCun80VILsCYO7T2xa+onr88CtAjbEeXr3rwd5GF3xsN r9UlhRPFpq5xRE2iqFl+B/pMj4QLuWLZDjNFwaO0n3n2sUNAjFb7WJb/i+Jhdvkibh3fTTqSf9j PxSx9TPXHLH2uBAm1sYqyk5qIARy30Y+3veaYv9iJYoUNyhwGajMzmU7u496sXe3oj0TPhkGQIk K4U/XekhyGcB94posy6ZANhDa9nFRNo2jAyGwl8khcOMXnnZxqHelE6ZHmiLE36OdWGt3Iv7DYt H8TeMbAcsw== X-Received: by 2002:a05:6402:50d3:b0:670:8acc:8f0a with SMTP id 4fb4d7f45d1cf-67d6e6b061cmr4761775a12.4.1778509475619; Mon, 11 May 2026 07:24:35 -0700 (PDT) MIME-Version: 1.0 From: Ashesh Vashi Date: Mon, 11 May 2026 19:54:23 +0530 X-Gm-Features: AVHnY4Ln2cegmky-FRavHEoq1b9Ojn0-J8iZupGXE4Bzo5CvToHEHwrSXGxAOXM Message-ID: Subject: pgAdmin 4 v9.15 Released To: pgadmin-support Content-Type: multipart/alternative; boundary="0000000000008652dd06518b810d" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000008652dd06518b810d Content-Type: text/plain; charset="UTF-8" The pgAdmin Development Team is pleased to announce pgAdmin 4 version 9.15. This release of pgAdmin 4 includes 19 bug fixes and new features. For more details please see the release notes at: https://www.pgadmin.org/docs/pgadmin4/9.15/release_notes_9_15.html pgAdmin is the leading Open Source graphical management tool for PostgreSQL. For more information, please see: https://www.pgadmin.org/ Notable changes in this release include: *Features:* - Allow the Docker container image to run as a non-default user via the PUID and PGID environment variables. *Bugs/Housekeeping:* - Fix cross-user data access and shared-server privilege escalation in server mode (CVE-2026-7813). - Tighten Shared Server feature parity, owner-only field handling, and write guards as a follow-up to the data-isolation hardening. - Fix stored cross-site scripting (XSS) via crafted PostgreSQL object names rendered in the Browser Tree and Explain Visualizer (CVE-2026-7814). - Fix SQL injection in the Maintenance tool option values (CVE-2026-7815). - Fix OS command injection in Import/Export query export (CVE-2026-7816). - Fix local-file inclusion and server-side request forgery in the LLM API configuration endpoints (CVE-2026-7817). - Fix unsafe deserialization in the session manager that could lead to remote code execution (CVE-2026-7818). This change also encrypts session files at rest using Fernet, restricts session-file and DATA_DIR permissions to 0o600, switches the session-digest default from SHA-1 to SHA-256, and drops several non-roundtrippable live objects from the session. - Fix symlink-based path traversal in the file manager (CVE-2026-7819). - Fix account-lockout bypass on Flask-Security's default /login view so the locked field is honored on every authentication path (CVE-2026-7820). - Use absolute paths for a2enmod and a2enconf in the Debian setup script so it works when /usr/sbin is not on PATH. - Bump Python and JavaScript runtime/development dependencies, and upgrade ESLint to v10. - Update the Czech, Italian, Russian, Spanish, and Swedish translations. *Deprecations:* - The BigAnimal cloud deployment integration is deprecated and will be removed in the next version of pgAdmin 4. Builds for Windows and macOS are available now, along with a Python Wheel, Docker Container, RPM, DEB Package, and source code tarball from: https://www.pgadmin.org/download/ --- Ashesh Vashi pgAdmin Project --0000000000008652dd06518b810d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

The pgAdmin Development Team is pleased to announce pgA= dmin 4 version 9.15.

This release of pgAdmin 4 includes 19 bug fixes = and new features. For more details please see the release notes at:

<= a href=3D"https://www.pgadmin.org/docs/pgadmin4/9.15/release_notes_9_15.htm= l" target=3D"_blank">https://www.pgadmin.org/docs/pgadmin4/9.15/release_not= es_9_15.html

pgAdmin is the leading Open Source graphical managem= ent tool for PostgreSQL. For more information, please see:

https://www.pgadmin.org/

Notable changes in this release include:

Features:

  • Allow the Docker container image to run as a non-default user via the P= UID and PGID environment variables.

    Bugs/Housekeeping:

    • Fix cross-user data access and shared-server privilege escalation in se= rver mode (CVE-2026-7813).
    • Tighten Shared Server feature parity, owner-only field handling, and wr= ite guards as a follow-up to the data-isolation hardening.
    • Fix stored cross-site scripting (XSS) via crafted PostgreSQL object nam= es rendered in the Browser Tree and Explain Visualizer (CVE-2026-7814).
    • Fix SQL injection in the Maintenance tool option values (CVE-2026-7815)= .
    • Fix OS command injection in Import/Export query export (CVE-2026-7816).=
    • Fix local-file inclusion and server-side request forgery in the LLM API= configuration endpoints (CVE-2026-7817).
    • Fix unsafe deserialization in the session manager that could lead to re= mote code execution (CVE-2026-7818). This change also encrypts session file= s at rest using Fernet, restricts session-file and DATA_DIR permissions to = 0o600, switches the session-digest default from SHA-1 to SHA-256, and drops= several non-roundtrippable live objects from the session.
    • Fix symlink-based path traversal in the file manager (CVE-2026-7819).
    • Fix account-lockout bypass on Flask-Security's default /login view = so the locked field is honored on every authentication path (CVE-2026-7820)= .
    • Use absolute paths for a2enmod and a2enconf in the Debian setup script = so it works when /usr/sbin is not on PATH.
    • Bump Python and JavaScript runtime/development dependencies, and upgrad= e ESLint to v10.
    • Update the Czech, Italian, Russian, Spanish, and Swedish translations.<= /li>

    Deprecations:

    • The BigAnimal cloud deployment = integration is deprecated and will be removed in the next version of pgAdmi= n 4.

    Builds for Windows and macOS are available now, along with= a Python Wheel, Docker Container, RPM, DEB Package, and source code tarbal= l from:

    https://www.pgadmin.org/download/

    ---

    Ashesh Vashi
    pgAdmin Project

    --0000000000008652dd06518b810d--