public inbox for [email protected]help / color / mirror / Atom feed
pgAdmin 4 v9.16 Released 3+ messages / 3 participants [nested] [flat]
* pgAdmin 4 v9.16 Released @ 2026-06-18 14:51 Ashesh Vashi <[email protected]> 0 siblings, 1 reply; 3+ messages in thread From: Ashesh Vashi @ 2026-06-18 14:51 UTC (permalink / raw) To: pgadmin-support The pgAdmin Development Team is pleased to announce pgAdmin 4 version 9.16. This release of pgAdmin 4 includes 64 bug fixes and new features. For more details please see the release notes at: https://www.pgadmin.org/docs/pgadmin4/9.16/release_notes_9_16.html pgAdmin is the leading Open Source graphical management tool for PostgreSQL. For more information, please see: https://www.pgadmin.org/ Notable changes in this release include: *Features:* * Add an option to colourize panel and tab headers based on the connected server's colour, making it easier to tell which server a tab is connected to at a glance. * Add a "Back to login" link to the Forgot Password and Reset Password pages. * Add support for the TOAST tuple target storage parameter in the Materialized View dialog. * Make the init container security context in the Helm chart configurable via containerSecurityContext, consistent with the main container. * Add support for closing a tab with a middle-click on its title. * Allow the OAuth2 login button icon to use any Font Awesome style (e.g. fas fa-key), not only brand icons. *Bugs/Housekeeping:* * Fix SQL injection across sixteen dialog templates that rendered COMMENT ON ... IS '<description>' and the related pgstattuple/pgstatindex stats sinks; switches the affected templates to qtLiteral and rewrites the stats calls to pass the relation OID via a ::oid::regclass cast (CVE-2026-12044). * Fix the AI Assistant read-only transaction bypass that allowed prompt-injected multi-statement payloads to commit out of the READ ONLY wrapper and execute arbitrary SQL, chaining to RCE via COPY ... TO PROGRAM on a superuser connection (CVE-2026-12045). * Fix two SQL Editor endpoints (close and update_connection) missing the @pga_login_required decorator, making them reachable without authentication in server mode and exposing a pickle deserialization sink (CVE-2026-12046). * Fix HTML injection in the cloud deployment module (RDS, Azure, Google) where SDK exception text was forwarded to the browser unsanitised and rendered through html-react-parser in the Cloud Wizard (CVE-2026-12047). * Fix critical stored cross-site scripting where PostgreSQL server error text and Explain plan-node content passed through html-react-parser across notifier toasts, form errors, modal alerts, and the Explain visualiser; under pgAdmin's default Content-Security-Policy, injected script ran same-origin to the victim's session and could exfiltrate saved server credentials and issue SQL against every connected server (CVE-2026-12048). * Fix the open redirect in the multi-factor authentication flow via an unvalidated next parameter (CVE-2026-12049). * Fix SQL injection in the named restore point endpoint where the user-supplied restore point name was interpolated into SQL via str.format() instead of being passed as a bound parameter (CVE-2026-12050). * Remove the administrator-role bypass from the server-access helpers so the access-control checks added in 9.15 (CVE-2026-7813) are enforced uniformly. The Administrator role manages pgAdmin itself, not other users' database connections. * Remove the EDB BigAnimal cloud deployment support, which was deprecated in 9.15. * Preserve jsonb number representation in the JSON editor so trailing fractional zeros and large integers are no longer rewritten when saving unmodified rows. * Fix a View/Edit Data crash when the session contains a transaction object that is not filter-capable (e.g. left by the Query Tool or persisted by an older version), which could prevent the desktop application from loading after an upgrade. * Rebase the version-specific SQL templates so the default targets PostgreSQL 14, the oldest supported server version, dropping the obsolete sub-14 template buckets. * Strip the foreign-architecture slice from the macOS bundle so single-arch builds no longer ship the universal2 Python framework's unused arm64/x86_64 code. * Bump Electron in the desktop runtime to 42.3.3 and pin the packaged Electron version, bump cryptography to 49.0 and other Python and JavaScript dependencies via the dependabot batch. * Update the Italian translation. Builds for Windows and macOS are available now, along with a Python Wheel, Docker Container, RPM, DEB Package, and source code tarball from: https://www.pgadmin.org/download/ *Deprecation Notice: pgAgent* pgAgent has been deprecated and will be discontinued. The pgAgent will be removed from the website within one month. Support for pgAgent within pgAdmin will be removed in a future release approximately six months from now. Users are encouraged to migrate to an alternative job scheduling solution before support is removed. --- Ashesh Vashi pgAdmin Project ^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: pgAdmin 4 v9.16 Released @ 2026-06-26 18:32 Frank Limpert <[email protected]> parent: Ashesh Vashi <[email protected]> 0 siblings, 1 reply; 3+ messages in thread From: Frank Limpert @ 2026-06-26 18:32 UTC (permalink / raw) To: pgadmin-support Dear pgAdmin Team, When and where was pgAgent deprecated? This is the first notice that reaches me. Are there any active forks of your code that you would recommend? My database project relies havily on pgAgent. Is there a place where I can learn about alternatives? Happy computing... Frank Limpert Am 18.06.26 um 16:51 schrieb Ashesh Vashi: > The pgAdmin Development Team is pleased to announce pgAdmin 4 version > 9.16. > > -- 8< ---- 8< ---- 8< ---- 8< -- > *Deprecation Notice: pgAgent* > > pgAgent has been deprecated and will be discontinued. The pgAgent will > be removed from the website within one month. Support for pgAgent > within pgAdmin will be removed in a future release approximately six > months from now. > Users are encouraged to migrate to an alternative job scheduling > solution before support is removed. > > --- > Ashesh Vashi > > pgAdmin Project ^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: pgAdmin 4 v9.16 Released @ 2026-06-26 23:55 Anthony DeBarros <[email protected]> parent: Frank Limpert <[email protected]> 0 siblings, 0 replies; 3+ messages in thread From: Anthony DeBarros @ 2026-06-26 23:55 UTC (permalink / raw) To: Frank Limpert <[email protected]>; +Cc: pgadmin-support On Jun 26, 2026 at 2:32:57 PM, Frank Limpert <[email protected]> wrote: > Dear pgAdmin Team, > > When and where was pgAgent deprecated? This is the first notice that > reaches me. Are there any active forks of your code that you would > recommend? > > My database project relies havily on pgAgent. Is there a place where I can > learn about alternatives? > > I’ve heard some people mention https://github.com/cybertec-postgresql/pg_timetable Also: https://github.com/citusdata/pg_cron ^ permalink raw reply [nested|flat] 3+ messages in thread
end of thread, other threads:[~2026-06-26 23:55 UTC | newest] Thread overview: 3+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2026-06-18 14:51 pgAdmin 4 v9.16 Released Ashesh Vashi <[email protected]> 2026-06-26 18:32 ` Frank Limpert <[email protected]> 2026-06-26 23:55 ` Anthony DeBarros <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox