Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1waE5i-001cT0-1N for pgadmin-support@arkaria.postgresql.org; Thu, 18 Jun 2026 14:51:38 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1waE5h-00C0UB-0O for pgadmin-support@arkaria.postgresql.org; Thu, 18 Jun 2026 14:51:37 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1waE5g-00C0Tf-2i for pgadmin-support@lists.postgresql.org; Thu, 18 Jun 2026 14:51:36 +0000 Received: from mail-ed1-x52a.google.com ([2a00:1450:4864:20::52a]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1waE5d-000000016r1-2dJN for pgadmin-support@postgresql.org; Thu, 18 Jun 2026 14:51:35 +0000 Received: by mail-ed1-x52a.google.com with SMTP id 4fb4d7f45d1cf-695df92156bso107908a12.3 for ; Thu, 18 Jun 2026 07:51:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1781794292; cv=none; d=google.com; s=arc-20240605; b=hQskx46DNVgIXq5jLB1omOJtPE/cyrYlH1A9gaaA7/pF7UDdmDdyzEjHMRqYMsLOmk qr+V383KVaK72OEUH7mgIisr/Gdd2Ixs3s9WbbZK/mvRCoKvy6VPYnShVxJETasEkvpG 8jiVWVx6ZmC/2vTSfFzdpfVIQ21Y/lz1wWxrwvFOQQSxI9Pov8umRielehd0MSI90x6W B2HiX+tVK3VvalFkgpx4WkNZkqLi3o6AnK4hMhhdTtYIXCjpi1I7AqxgQCwdO8oWUYYc 8LaIeAPxzE97yMhKkC217iNNq2in35K6Ux5uLNIgxGmBLYT2e0eKVs2Ruhn5QXis+FmK sldg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=0rmjq7M2oIeKVdkGn7tLnVMh9MhZgQVb0WLM6Uqq38E=; fh=j2HZrm8GWz7HV+mqOt4nOcwwB2+3bvIqVRDp9hEZt1Q=; b=J1IG7n4M79HHU++bNUuorPsQ826FEWUUW+q3rvaE6JJlZ9Z6YPiNvZNHZG3sAaMYOZ tvvDiNkTyKtzIBBVOHzDClYSN8T4jC+FxtNA2YwJcDWwioxaATcn/RKOVLS/Di5BV4KS /cwB/vcjYK2YQbGcrD5/1yxPA7oXpCcI86M3YE4X+J7gCs4HyLTDeBfoe+AsUwBcjwhB p/KV8CtlYTFp56OhagOtKjBR4iPopRYUDFA/yrlDNeEJwj29xGMp2h/+fpD/UOwaXqYW BY5uDnMuKndMxr9fLHZtXgqigJ4SK//PSh3QWLZ8HZSroDvLNSML3bw4ebBEsWZAedH8 JtlQ==; darn=postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1781794292; x=1782399092; darn=postgresql.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=0rmjq7M2oIeKVdkGn7tLnVMh9MhZgQVb0WLM6Uqq38E=; b=LXySP109JrleWzaijl4xGCQ6drJRdyYpCUEJ5Uy+RXAKk/BxKuWoPtb2xpN+jZDoy7 sQ1Ph10zFNUIdAR3oOxk6cyeWuRQjKMNxqliQ7JNl4WhBBYys4e0CGr6+MJY0FCEIqyD 5Moas9GTMRmH6RKXJ5HKiIymEh6Uj3AsyNwSuNyejKQoPD1jIOkFwJhzh9yf8BippDFQ u1SuJc2BBPKEqytynvooMu8nFaoF9KPL45WHWbOGHonYJ3iszl7v9rJYfHU4rgi65+Xl YSqRLpNd13rTzA14LkN5/5zDIdoiwaI/mX66DtiSFtpQIhaxID9d+/0mnsZvK8a69O6x uOpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781794292; x=1782399092; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0rmjq7M2oIeKVdkGn7tLnVMh9MhZgQVb0WLM6Uqq38E=; b=ToEpjeJMrL6bkb9/L7sCnbIPd0+Z3pgbHp0UAzhr5g20KtH5+dsKGMiPptKptT/xFH iuq5XYxFI8mDTzsX27jk9gH4n5QV2j+3mxwzHDBbll9FG1nRo47IFUOZL7m77dWwRWw/ Oulj/vhu6LH4UUCvNrlK2jiNV0uy5oznkLbSKb9mowxgaRbiWsBt5xIvmp+lCmmAG3nI IwNW1jOXi45Be5nBqtOW7uuNzc1vEpv86A0NRncKLd4SPG6Mz8OJg/nyLaYs1ELNF9tq //7mTJ4OhNM14QQ9WIN/3zOaDW72pnGECLANd1ztYvy3j5+fjtqp9ZD/qpYgN3zMDkaP g2Tg== X-Gm-Message-State: AOJu0YxwSY1LR+UqOq5p1vC9YyQqUXMRN6P9yOVnSgNGz1HWmEcmr5xG wkTancTael5fReZBP9uTfgi+sFdL1EtzPIF+KbNiw4Ow6dnPIoJN9PvfFXUqynYwVFyyIW4GuWH kSC3G9L6mNMV2w5A12UKSnpTS5OB8AuUf9dKU81BQH9pfn612CY0MUlV1 X-Gm-Gg: AfdE7cmxIpI6H0ItVSj5HT00x1HbgdQQPdR+s5BN9+SmS3QD8sLYkYwRFxnPmTK6WBC zFb6o/JUMDBa96rrvHkf9mOcwMI9ckjDk9tGg21QlFkcAN+Rarwomd7Wa+h76Dm6El1sCDMYjrE bw0tkI953U4xSaVH1I3QdBsxq2UndaSOCysLEDb0AAH2bX2w/6Zru6JxB1+zO8u3AqWrTcF9q+8 MlmbdBOMsPmQh7TEL827UaagO+87WTkmeCw3HfCAX5UKamfOUEPc1QuuSDn9unCHz0BKa31o65D jmYNSHTV X-Received: by 2002:a05:6402:370d:b0:687:b843:a1f3 with SMTP id 4fb4d7f45d1cf-695bb1aa0e4mr818741a12.1.1781794290585; Thu, 18 Jun 2026 07:51:30 -0700 (PDT) MIME-Version: 1.0 From: Ashesh Vashi Date: Thu, 18 Jun 2026 20:21:17 +0530 X-Gm-Features: AVVi8Cf5DTuMJtpm9cnpwtlqLDG_YQ8HSJ8fjPBDhBBEkXdWUQQnhMrqrxrbj4Q Message-ID: Subject: pgAdmin 4 v9.16 Released To: pgadmin-support Content-Type: multipart/alternative; boundary="000000000000c0e7780654884fbd" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000c0e7780654884fbd Content-Type: text/plain; charset="UTF-8" The pgAdmin Development Team is pleased to announce pgAdmin 4 version 9.16. This release of pgAdmin 4 includes 64 bug fixes and new features. For more details please see the release notes at: https://www.pgadmin.org/docs/pgadmin4/9.16/release_notes_9_16.html pgAdmin is the leading Open Source graphical management tool for PostgreSQL. For more information, please see: https://www.pgadmin.org/ Notable changes in this release include: *Features:* * Add an option to colourize panel and tab headers based on the connected server's colour, making it easier to tell which server a tab is connected to at a glance. * Add a "Back to login" link to the Forgot Password and Reset Password pages. * Add support for the TOAST tuple target storage parameter in the Materialized View dialog. * Make the init container security context in the Helm chart configurable via containerSecurityContext, consistent with the main container. * Add support for closing a tab with a middle-click on its title. * Allow the OAuth2 login button icon to use any Font Awesome style (e.g. fas fa-key), not only brand icons. *Bugs/Housekeeping:* * Fix SQL injection across sixteen dialog templates that rendered COMMENT ON ... IS '' and the related pgstattuple/pgstatindex stats sinks; switches the affected templates to qtLiteral and rewrites the stats calls to pass the relation OID via a ::oid::regclass cast (CVE-2026-12044). * Fix the AI Assistant read-only transaction bypass that allowed prompt-injected multi-statement payloads to commit out of the READ ONLY wrapper and execute arbitrary SQL, chaining to RCE via COPY ... TO PROGRAM on a superuser connection (CVE-2026-12045). * Fix two SQL Editor endpoints (close and update_connection) missing the @pga_login_required decorator, making them reachable without authentication in server mode and exposing a pickle deserialization sink (CVE-2026-12046). * Fix HTML injection in the cloud deployment module (RDS, Azure, Google) where SDK exception text was forwarded to the browser unsanitised and rendered through html-react-parser in the Cloud Wizard (CVE-2026-12047). * Fix critical stored cross-site scripting where PostgreSQL server error text and Explain plan-node content passed through html-react-parser across notifier toasts, form errors, modal alerts, and the Explain visualiser; under pgAdmin's default Content-Security-Policy, injected script ran same-origin to the victim's session and could exfiltrate saved server credentials and issue SQL against every connected server (CVE-2026-12048). * Fix the open redirect in the multi-factor authentication flow via an unvalidated next parameter (CVE-2026-12049). * Fix SQL injection in the named restore point endpoint where the user-supplied restore point name was interpolated into SQL via str.format() instead of being passed as a bound parameter (CVE-2026-12050). * Remove the administrator-role bypass from the server-access helpers so the access-control checks added in 9.15 (CVE-2026-7813) are enforced uniformly. The Administrator role manages pgAdmin itself, not other users' database connections. * Remove the EDB BigAnimal cloud deployment support, which was deprecated in 9.15. * Preserve jsonb number representation in the JSON editor so trailing fractional zeros and large integers are no longer rewritten when saving unmodified rows. * Fix a View/Edit Data crash when the session contains a transaction object that is not filter-capable (e.g. left by the Query Tool or persisted by an older version), which could prevent the desktop application from loading after an upgrade. * Rebase the version-specific SQL templates so the default targets PostgreSQL 14, the oldest supported server version, dropping the obsolete sub-14 template buckets. * Strip the foreign-architecture slice from the macOS bundle so single-arch builds no longer ship the universal2 Python framework's unused arm64/x86_64 code. * Bump Electron in the desktop runtime to 42.3.3 and pin the packaged Electron version, bump cryptography to 49.0 and other Python and JavaScript dependencies via the dependabot batch. * Update the Italian translation. Builds for Windows and macOS are available now, along with a Python Wheel, Docker Container, RPM, DEB Package, and source code tarball from: https://www.pgadmin.org/download/ *Deprecation Notice: pgAgent* pgAgent has been deprecated and will be discontinued. The pgAgent will be removed from the website within one month. Support for pgAgent within pgAdmin will be removed in a future release approximately six months from now. Users are encouraged to migrate to an alternative job scheduling solution before support is removed. --- Ashesh Vashi pgAdmin Project --000000000000c0e7780654884fbd Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
The pgAdmin Development Team is plea= sed to announce pgAdmin 4 version 9.16.

This release of pgAdmin 4 in= cludes 64 bug fixes and new features. For more details please see the relea= se notes at:

https://www.pgadmin.org/docs/pgad= min4/9.16/release_notes_9_16.html

pgAdmin is the leading Open So= urce graphical management tool for PostgreSQL. For more information, please= see:

https:/= /www.pgadmin.org/

Notable changes in this release include:
Features:

* Add an option to colourize panel and tab header= s based on the connected server's colour, making it easier to tell whic= h server a tab is connected to at a glance.
* Add a "Back to login&= quot; link to the Forgot Password and Reset Password pages.
* Add suppor= t for the TOAST tuple target storage parameter in the Materialized View dia= log.
* Make the init container security context in the Helm chart config= urable via containerSecurityContext, consistent with the main container.* Add support for closing a tab with a middle-click on its title.
* All= ow the OAuth2 login button icon to use any Font Awesome style (e.g. fas fa-= key), not only brand icons.

Bugs/Housekeeping:

* Fix S= QL injection across sixteen dialog templates that rendered COMMENT ON ... I= S '<description>' and the related pgstattuple/pgstatindex sta= ts sinks; switches the affected templates to qtLiteral and rewrites the sta= ts calls to pass the relation OID via a ::oid::regclass cast (CVE-2026-1204= 4).
* Fix the AI Assistant read-only transaction bypass that allowed pro= mpt-injected multi-statement payloads to commit out of the READ ONLY wrappe= r and execute arbitrary SQL, chaining to RCE via COPY ... TO PROGRAM on a s= uperuser connection (CVE-2026-12045).
* Fix two SQL Editor endpoints (cl= ose and update_connection) missing the @pga_login_required decorator, makin= g them reachable without authentication in server mode and exposing a pickl= e deserialization sink (CVE-2026-12046).
* Fix HTML injection in the clo= ud deployment module (RDS, Azure, Google) where SDK exception text was forw= arded to the browser unsanitised and rendered through html-react-parser in = the Cloud Wizard (CVE-2026-12047).
* Fix critical stored cross-site scri= pting where PostgreSQL server error text and Explain plan-node content pass= ed through html-react-parser across notifier toasts, form errors, modal ale= rts, and the Explain visualiser; under pgAdmin's default Content-Securi= ty-Policy, injected script ran same-origin to the victim's session and = could exfiltrate saved server credentials and issue SQL against every conne= cted server (CVE-2026-12048).
* Fix the open redirect in the multi-facto= r authentication flow via an unvalidated next parameter (CVE-2026-12049).* Fix SQL injection in the named restore point endpoint where the user-su= pplied restore point name was interpolated into SQL via str.format() instea= d of being passed as a bound parameter (CVE-2026-12050).
* Remove the ad= ministrator-role bypass from the server-access helpers so the access-contro= l checks added in 9.15 (CVE-2026-7813) are enforced uniformly. The Administ= rator role manages pgAdmin itself, not other users' database connection= s.
* Remove the EDB BigAnimal cloud deployment support, which was deprec= ated in 9.15.
* Preserve jsonb number representation in the JSON editor = so trailing fractional zeros and large integers are no longer rewritten whe= n saving unmodified rows.
* Fix a View/Edit Data crash when the session = contains a transaction object that is not filter-capable (e.g. left by the = Query Tool or persisted by an older version), which could prevent the deskt= op application from loading after an upgrade.
* Rebase the version-speci= fic SQL templates so the default targets PostgreSQL 14, the oldest supporte= d server version, dropping the obsolete sub-14 template buckets.
* Strip= the foreign-architecture slice from the macOS bundle so single-arch builds= no longer ship the universal2 Python framework's unused arm64/x86_64 c= ode.
* Bump Electron in the desktop runtime to 42.3.3 and pin the packag= ed Electron version, bump cryptography to 49.0 and other Python and JavaScr= ipt dependencies via the dependabot batch.
* Update the Italian translat= ion.

Builds for Windows and macOS are available now, along with a Py= thon Wheel, Docker Container, RPM, DEB Package, and source code tarball fro= m:
https= ://www.pgadmin.org/download/

Deprecation Notice: pgAgent<= br>
pgAgent has been deprecated and will be discontinued. The pgAgent wi= ll be removed from the website within one month. Support for pgAgent within= pgAdmin will be removed in a future release approximately six months from = now.
Users are encouraged to migrate to an alternative job scheduling so= lution before support is removed.

---
Ashesh Vashi

<= div>pgAdmin Project
--000000000000c0e7780654884fbd--