Re: pgAdmin 4 || vulnerable pip modules

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Aditya Toshniwal <[email protected]>
To: Rogelio Villafana Sanchez <[email protected]>
Cc: Chetan Lohi <[email protected]>
Cc: [email protected] <[email protected]>
Cc: Akshay Swami <[email protected]>
Cc: Manas . <[email protected]>
Subject: Re: pgAdmin 4 || vulnerable pip modules
Date: Tue, 24 Feb 2026 10:26:27 +0530
Message-ID: <CAM9w-_mt92e95U+EKRD9+4UFtPCob2ma6JcNmYnsD2BQVCbcyg@mail.gmail.com> (raw)
In-Reply-To: <VI0PR06MB10165B6A69AD773DF1A72F838E377A@VI0PR06MB10165.eurprd06.prod.outlook.com>
References: <VI0PR06MB1016513F4D4341D6DF6A823B3E36CA@VI0PR06MB10165.eurprd06.prod.outlook.com>
	<CAM9w-_=S5ouh8EydZL_qiWkEXMghufbkniDCM0eS9Zaqk=T3NQ@mail.gmail.com>
	<GV2PR06MB10155A43939D630BB876952EDE36AA@GV2PR06MB10155.eurprd06.prod.outlook.com>
	<AMBPR06MB10283D621616BB4FA5B46E6F39B6BA@AMBPR06MB10283.eurprd06.prod.outlook.com>
	<VI0PR06MB10165B60F4776FB59E20CBB64E36BA@VI0PR06MB10165.eurprd06.prod.outlook.com>
	<CAM9w-_n6fTFroGzLqmtf+tqfVasd=+eeJUKG1-LggnMnAFKTSw@mail.gmail.com>
	<VI0PR06MB10165B6A69AD773DF1A72F838E377A@VI0PR06MB10165.eurprd06.prod.outlook.com>

Hi Rogelio,

I didn't find any.

On Tue, Feb 24, 2026 at 1:02 AM Rogelio Villafana Sanchez <
[email protected]> wrote:

> Hello @Aditya <[email protected]>,
>
>
>
> Means all mentioned CVEs are fixed on specific PgAdmin version?
>
>
>
>
>
> *Rogelio Villafaña*
>
> DevOps Specialist | ATT BSSe
>
> [image: Shape Description automatically generated with medium confidence]
>
>
>
> *From:* Aditya Toshniwal <[email protected]>
> *Sent:* Monday, February 23, 2026 3:08 AM
> *To:* Rogelio Villafana Sanchez <[email protected]>
> *Cc:* Chetan Lohi <[email protected]>;
> [email protected]; Akshay Swami <[email protected]>;
> Manas . <[email protected]>
> *Subject:* Re: pgAdmin 4 || vulnerable pip modules
>
>
>
> *CAUTION:* This email is from an external source. Please don’t open any
> unknown links or attachments.
>
> Hi Rogelio,
>
>
>
> We've already checked the mentioned CVEs in the latest version. I'm not
> sure how WIZ works.
>
>
>
> On Thu, Feb 19, 2026 at 8:35 PM Rogelio Villafana Sanchez <
> [email protected]> wrote:
>
> Thanks, Chetan!
>
>
>
> Hi @Aditya Toshniwal <[email protected]>, the only tool
> used its WIZ.
>
>
>
>
>
> *Rogelio Villafaña*
>
> DevOps Specialist | ATT BSSe
>
> [image: Shape Description automatically generated with medium confidence]
>
>
>
> *From:* Chetan Lohi <[email protected]>
> *Sent:* Wednesday, February 18, 2026 11:22 PM
> *To:* Rogelio Villafana Sanchez <[email protected]>; Aditya
> Toshniwal <[email protected]>
> *Cc:* [email protected]; Akshay Swami <
> [email protected]>; Manas . <[email protected]>
> *Subject:* RE: pgAdmin 4 || vulnerable pip modules
>
>
>
> Hi Team,
>
>
>
> Wiz itself does vulnerability scanning there is no additional tool
> involved.
>
>
>
> Regards
>
> Chetan Lohi
>
>
>
> *From:* Rogelio Villafana Sanchez <[email protected]>
> *Sent:* Wednesday, February 18, 2026 11:54 PM
> *To:* Aditya Toshniwal <[email protected]>; Chetan Lohi <
> [email protected]>
> *Cc:* [email protected]; Akshay Swami <
> [email protected]>; Manas . <[email protected]>
> *Subject:* RE: pgAdmin 4 || vulnerable pip modules
>
>
>
> Hello @Chetan <[email protected]>,
>
>
>
> Could you help sharing the scan tool details used for the WIZ report?
>
>
>
>
>
> *Rogelio Villafaña*
>
> DevOps Specialist | ATT BSSe
>
> [image: Shape Description automatically generated with medium confidence]
>
>
>
> *From:* Aditya Toshniwal <[email protected]>
> *Sent:* Tuesday, February 17, 2026 11:36 PM
> *To:* Rogelio Villafana Sanchez <[email protected]>
> *Cc:* [email protected]; Akshay Swami <
> [email protected]>; Manas . <[email protected]>
> *Subject:* Re: pgAdmin 4 || vulnerable pip modules
>
>
>
> You don't often get email from [email protected]. Learn
> why this is important <https://aka.ms/LearnAboutSenderIdentification;
>
> *CAUTION:* This email is from an external source. Please don’t open any
> unknown links or attachments.
>
> Hi Rogelio,
>
>
>
> I checked the CVE list you shared and the package versions required to fix
> it. I then checked the pgAdmin venv for the actual installed versions and
> found them all to be newer.
>
> What did you use to scan the CVEs in pgAdmin?
>
>
>
> *CVE ID*
>
> *Package*
>
> *Required Version (or newer)*
>
> *Primary Action*
>
> *CVE-2025-68146*
>
> filelock
>
> *v3.17.0*
>
> Upgrade to prevent symlink-based file corruption.
>
> *CVE-2025-68158*
>
> Authlib
>
> *v1.4.1*
>
> Upgrade to ensure OAuth states are strictly bound to user sessions.
>
> *CVE-2025-69277*
>
> libsodium
>
> *v1.0.21*
>
> Update the underlying C library (often via pynacl update).
>
> *CVE-2026-0994*
>
> protobuf
>
> *v5.29.3*
>
> Upgrade to enforce stricter recursion limits on nested messages.
>
> *CVE-2026-21226*
>
> azure-core
>
> *v1.31.0*
>
> *Critical:* Upgrade immediately to disable insecure deserialization.
>
> *CVE-2026-21441*
>
> urllib3
>
> *v2.3.1*
>
> Upgrade to fix "Decompression Bomb" handling in redirects.
>
> *CVE-2026-21860*
>
> Werkzeug
>
> *v3.1.4*
>
> Upgrade to properly sanitize Windows reserved device names.
>
> *CVE-2026-22701*
>
> filelock
>
> *v3.18.0*
>
> Upgrade to patch the SoftFileLock race condition.
>
> *CVE-2026-22702*
>
> virtualenv
>
> *v20.29.2*
>
> Upgrade to prevent symlink attacks during environment creation.
>
> *CVE-2026-23490*
>
> pyasn1
>
> *v0.6.2*
>
> Upgrade to prevent memory exhaustion from malformed OIDs.
>
> *CVE-2026-23949*
>
> jaraco.context
>
> *v6.1.0*
>
> Upgrade to fix Path Traversal (Zip Slip) in tarball().
>
> *CVE-2026-24049*
>
> wheel
>
> *v0.45.2*
>
> Upgrade to prevent unauthorized chmod calls during unpacking.
>
> *CVE-2026-26007*
>
> cryptography
>
> *v44.0.2*
>
> *Critical:* Upgrade to ensure validation of SECT curve points.
>
>
>
> On Tue, Feb 17, 2026 at 9:18 PM Rogelio Villafana Sanchez <
> [email protected]> wrote:
>
> Hello PGAdmin support team,
>
>
>
> Three weeks ago, we completed the upgrade of PGAdmin to v9.11, yet in our
> last vulnerabilities scan report, several pip modules came in the picture
> as vulnerable version.
>
> As these are modules which come embedded in the site packages installer,
> we would like to confirm below question with you.
>
>
>
>    1. Any existing/coming version that fix shared CVEs?
>    2. Will it be in their roadmap. If yes when is the plan to fix it?
>    3. Can we delete those files do we see any impact?
>    4. We can see v9.12 was just released, but does this version fix the
>    CVEs or have the modules on fixed version?
>    5. Also, we know these CVEs might be false positive if yes, please
>    share the description.
>
>
>
> CVE-2025-68146
> CVE-2025-68158
> CVE-2025-69277
> CVE-2026-0994
> CVE-2026-21226
> CVE-2026-21441
> CVE-2026-21860
> CVE-2026-22701
> CVE-2026-22702
> CVE-2026-23490
> CVE-2026-23949
> CVE-2026-24049
> CVE-2026-26007
>
>
>
> *Rogelio Villafaña*
>
> DevOps Specialist | ATT BSSe
>
> [image: Shape Description automatically generated with medium confidence]
>
>
>
> *This email and the information contained herein is proprietary and
> confidential and subject to the Amdocs Email Terms of Service, which you
> may review at* *https://www.amdocs.com/about/email-terms-of-service*
> <https://www.amdocs.com/about/email-terms-of-service;
>
>
>
>
> --
>
> Thanks,
>
> Aditya Toshniwal
>
> pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com*
> <https://www.enterprisedb.com/;
>
> "Don't Complain about Heat, Plant a TREE"
>
> *This email and the information contained herein is proprietary and
> confidential and subject to the Amdocs Email Terms of Service, which you
> may review at* *https://www.amdocs.com/about/email-terms-of-service*
> <https://www.amdocs.com/about/email-terms-of-service;
>
>
>
>
> --
>
> Thanks,
>
> Aditya Toshniwal
>
> pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com*
> <https://www.enterprisedb.com/;
>
> "Don't Complain about Heat, Plant a TREE"
>
> *This email and the information contained herein is proprietary and
> confidential and subject to the Amdocs Email Terms of Service, which you
> may review at* *https://www.amdocs.com/about/email-terms-of-service*
> <https://www.amdocs.com/about/email-terms-of-service;
>


-- 
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com*
<https://www.enterprisedb.com/;
"Don't Complain about Heat, Plant a TREE"


Attachments:

  [image/gif] image001.gif (532.0K, 3-image001.gif)
  download | view image

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: pgAdmin 4 || vulnerable pip modules
  In-Reply-To: <CAM9w-_mt92e95U+EKRD9+4UFtPCob2ma6JcNmYnsD2BQVCbcyg@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox