Re: pgAdmin 4 || vulnerable pip modules

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Aditya Toshniwal <[email protected]>
To: Rogelio Villafana Sanchez <[email protected]>
Cc: [email protected] <[email protected]>
Cc: Akshay Swami <[email protected]>
Cc: Manas . <[email protected]>
Subject: Re: pgAdmin 4 || vulnerable pip modules
Date: Wed, 18 Feb 2026 11:05:45 +0530
Message-ID: <CAM9w-_=S5ouh8EydZL_qiWkEXMghufbkniDCM0eS9Zaqk=T3NQ@mail.gmail.com> (raw)
In-Reply-To: <VI0PR06MB1016513F4D4341D6DF6A823B3E36CA@VI0PR06MB10165.eurprd06.prod.outlook.com>
References: <VI0PR06MB1016513F4D4341D6DF6A823B3E36CA@VI0PR06MB10165.eurprd06.prod.outlook.com>

Hi Rogelio,

I checked the CVE list you shared and the package versions required to fix
it. I then checked the pgAdmin venv for the actual installed versions and
found them all to be newer.
What did you use to scan the CVEs in pgAdmin?

*CVE ID* *Package* *Required Version (or newer)* *Primary Action*
*CVE-2025-68146* filelock *v3.17.0* Upgrade to prevent symlink-based file
corruption.
*CVE-2025-68158* Authlib *v1.4.1* Upgrade to ensure OAuth states are
strictly bound to user sessions.
*CVE-2025-69277* libsodium *v1.0.21* Update the underlying C library (often
via pynacl update).
*CVE-2026-0994* protobuf *v5.29.3* Upgrade to enforce stricter recursion
limits on nested messages.
*CVE-2026-21226* azure-core *v1.31.0* *Critical:* Upgrade immediately to
disable insecure deserialization.
*CVE-2026-21441* urllib3 *v2.3.1* Upgrade to fix "Decompression Bomb"
handling in redirects.
*CVE-2026-21860* Werkzeug *v3.1.4* Upgrade to properly sanitize Windows
reserved device names.
*CVE-2026-22701* filelock *v3.18.0* Upgrade to patch the SoftFileLock race
condition.
*CVE-2026-22702* virtualenv *v20.29.2* Upgrade to prevent symlink attacks
during environment creation.
*CVE-2026-23490* pyasn1 *v0.6.2* Upgrade to prevent memory exhaustion from
malformed OIDs.
*CVE-2026-23949* jaraco.context *v6.1.0* Upgrade to fix Path Traversal (Zip
Slip) in tarball().
*CVE-2026-24049* wheel *v0.45.2* Upgrade to prevent unauthorized chmod
calls during unpacking.
*CVE-2026-26007* cryptography *v44.0.2* *Critical:* Upgrade to ensure
validation of SECT curve points.

On Tue, Feb 17, 2026 at 9:18 PM Rogelio Villafana Sanchez <
[email protected]> wrote:

> Hello PGAdmin support team,
>
>
>
> Three weeks ago, we completed the upgrade of PGAdmin to v9.11, yet in our
> last vulnerabilities scan report, several pip modules came in the picture
> as vulnerable version.
>
> As these are modules which come embedded in the site packages installer,
> we would like to confirm below question with you.
>
>
>
>    1. Any existing/coming version that fix shared CVEs?
>    2. Will it be in their roadmap. If yes when is the plan to fix it?
>    3. Can we delete those files do we see any impact?
>    4. We can see v9.12 was just released, but does this version fix the
>    CVEs or have the modules on fixed version?
>    5. Also, we know these CVEs might be false positive if yes, please
>    share the description.
>
>
>
> CVE-2025-68146
> CVE-2025-68158
> CVE-2025-69277
> CVE-2026-0994
> CVE-2026-21226
> CVE-2026-21441
> CVE-2026-21860
> CVE-2026-22701
> CVE-2026-22702
> CVE-2026-23490
> CVE-2026-23949
> CVE-2026-24049
> CVE-2026-26007
>
>
>
> *Rogelio Villafaña*
>
> DevOps Specialist | ATT BSSe
>
> [image: Shape Description automatically generated with medium confidence]
>
>
>
> *This email and the information contained herein is proprietary and
> confidential and subject to the Amdocs Email Terms of Service, which you
> may review at* *https://www.amdocs.com/about/email-terms-of-service*
> <https://www.amdocs.com/about/email-terms-of-service;
>

-- 
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com*
<https://www.enterprisedb.com/;
"Don't Complain about Heat, Plant a TREE"

Attachments:

  [image/gif] image001.gif (532.0K, 3-image001.gif)
  download | view image

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: pgAdmin 4 || vulnerable pip modules
  In-Reply-To: <CAM9w-_=S5ouh8EydZL_qiWkEXMghufbkniDCM0eS9Zaqk=T3NQ@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox