pgAdmin 4 || vulnerable pip modules

public inbox for [email protected]  
help / color / mirror / Atom feed

pgAdmin 4 || vulnerable pip modules
8+ messages / 3 participants
[nested] [flat]

* pgAdmin 4 || vulnerable pip modules
@ 2026-02-16 19:40  Rogelio Villafana Sanchez <[email protected]>
  0 siblings, 1 reply; 8+ messages in thread

From: Rogelio Villafana Sanchez @ 2026-02-16 19:40 UTC (permalink / raw)
  To: [email protected] <[email protected]>; +Cc: Rogelio Villafana Sanchez <[email protected]>; Akshay Swami <[email protected]>; Manas . <[email protected]>

Hello PGAdmin support team,

Three weeks ago, we completed the upgrade of PGAdmin to v9.11, yet in our last vulnerabilities scan report, several pip modules came in the picture as vulnerable version.
As these are modules which come embedded in the site packages installer, we would like to confirm below question with you.

  1.  Any existing/coming version that fix shared CVEs?
  2.  Will it be in their roadmap. If yes when is the plan to fix it?
  3.  Can we delete those files do we see any impact?
  4.  We can see v9.12 was just released, but does this version fix the CVEs or have the modules on fixed version?
  5.  Also, we know these CVEs might be false positive if yes, please share the description.

CVE-2025-68146
CVE-2025-68158
CVE-2025-69277
CVE-2026-0994
CVE-2026-21226
CVE-2026-21441
CVE-2026-21860
CVE-2026-22701
CVE-2026-22702
CVE-2026-23490
CVE-2026-23949
CVE-2026-24049
CVE-2026-26007

Rogelio Villafaña
DevOps Specialist | ATT BSSe
[Shape  Description automatically generated with medium confidence]

This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service <https://www.amdocs.com/about/email-terms-of-service;

Attachments:

  [image/gif] image001.gif (532.0K, 3-image001.gif)
  download | view image

  [application/vnd.openxmlformats-officedocument.spreadsheetml.sheet] pgAdmin_vulnerabilities.xlsx (18.5K, 4-pgAdmin_vulnerabilities.xlsx)
  download

^ permalink  raw  reply  [nested|flat] 8+ messages in thread

* Re: pgAdmin 4 || vulnerable pip modules
@ 2026-02-18 05:35  Aditya Toshniwal <[email protected]>
  parent: Rogelio Villafana Sanchez <[email protected]>
  0 siblings, 1 reply; 8+ messages in thread

From: Aditya Toshniwal @ 2026-02-18 05:35 UTC (permalink / raw)
  To: Rogelio Villafana Sanchez <[email protected]>; +Cc: [email protected] <[email protected]>; Akshay Swami <[email protected]>; Manas . <[email protected]>

Hi Rogelio,

I checked the CVE list you shared and the package versions required to fix
it. I then checked the pgAdmin venv for the actual installed versions and
found them all to be newer.
What did you use to scan the CVEs in pgAdmin?

*CVE ID* *Package* *Required Version (or newer)* *Primary Action*
*CVE-2025-68146* filelock *v3.17.0* Upgrade to prevent symlink-based file
corruption.
*CVE-2025-68158* Authlib *v1.4.1* Upgrade to ensure OAuth states are
strictly bound to user sessions.
*CVE-2025-69277* libsodium *v1.0.21* Update the underlying C library (often
via pynacl update).
*CVE-2026-0994* protobuf *v5.29.3* Upgrade to enforce stricter recursion
limits on nested messages.
*CVE-2026-21226* azure-core *v1.31.0* *Critical:* Upgrade immediately to
disable insecure deserialization.
*CVE-2026-21441* urllib3 *v2.3.1* Upgrade to fix "Decompression Bomb"
handling in redirects.
*CVE-2026-21860* Werkzeug *v3.1.4* Upgrade to properly sanitize Windows
reserved device names.
*CVE-2026-22701* filelock *v3.18.0* Upgrade to patch the SoftFileLock race
condition.
*CVE-2026-22702* virtualenv *v20.29.2* Upgrade to prevent symlink attacks
during environment creation.
*CVE-2026-23490* pyasn1 *v0.6.2* Upgrade to prevent memory exhaustion from
malformed OIDs.
*CVE-2026-23949* jaraco.context *v6.1.0* Upgrade to fix Path Traversal (Zip
Slip) in tarball().
*CVE-2026-24049* wheel *v0.45.2* Upgrade to prevent unauthorized chmod
calls during unpacking.
*CVE-2026-26007* cryptography *v44.0.2* *Critical:* Upgrade to ensure
validation of SECT curve points.

On Tue, Feb 17, 2026 at 9:18 PM Rogelio Villafana Sanchez <
[email protected]> wrote:

> Hello PGAdmin support team,
>
>
>
> Three weeks ago, we completed the upgrade of PGAdmin to v9.11, yet in our
> last vulnerabilities scan report, several pip modules came in the picture
> as vulnerable version.
>
> As these are modules which come embedded in the site packages installer,
> we would like to confirm below question with you.
>
>
>
>    1. Any existing/coming version that fix shared CVEs?
>    2. Will it be in their roadmap. If yes when is the plan to fix it?
>    3. Can we delete those files do we see any impact?
>    4. We can see v9.12 was just released, but does this version fix the
>    CVEs or have the modules on fixed version?
>    5. Also, we know these CVEs might be false positive if yes, please
>    share the description.
>
>
>
> CVE-2025-68146
> CVE-2025-68158
> CVE-2025-69277
> CVE-2026-0994
> CVE-2026-21226
> CVE-2026-21441
> CVE-2026-21860
> CVE-2026-22701
> CVE-2026-22702
> CVE-2026-23490
> CVE-2026-23949
> CVE-2026-24049
> CVE-2026-26007
>
>
>
> *Rogelio Villafaña*
>
> DevOps Specialist | ATT BSSe
>
> [image: Shape Description automatically generated with medium confidence]
>
>
>
> *This email and the information contained herein is proprietary and
> confidential and subject to the Amdocs Email Terms of Service, which you
> may review at* *https://www.amdocs.com/about/email-terms-of-service*
> <https://www.amdocs.com/about/email-terms-of-service;
>

-- 
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com*
<https://www.enterprisedb.com/;
"Don't Complain about Heat, Plant a TREE"

Attachments:

  [image/gif] image001.gif (532.0K, 3-image001.gif)
  download | view image

^ permalink  raw  reply  [nested|flat] 8+ messages in thread

* RE: pgAdmin 4 || vulnerable pip modules
@ 2026-02-18 18:23  Rogelio Villafana Sanchez <[email protected]>
  parent: Aditya Toshniwal <[email protected]>
  0 siblings, 1 reply; 8+ messages in thread

From: Rogelio Villafana Sanchez @ 2026-02-18 18:23 UTC (permalink / raw)
  To: Aditya Toshniwal <[email protected]>; Chetan Lohi <[email protected]>; +Cc: [email protected] <[email protected]>; Akshay Swami <[email protected]>; Manas . <[email protected]>

Hello @Chetan<mailto:[email protected]>,

Could you help sharing the scan tool details used for the WIZ report?

Rogelio Villafaña
DevOps Specialist | ATT BSSe
[Shape  Description automatically generated with medium confidence]

From: Aditya Toshniwal <[email protected]>
Sent: Tuesday, February 17, 2026 11:36 PM
To: Rogelio Villafana Sanchez <[email protected]>
Cc: [email protected]; Akshay Swami <[email protected]>; Manas . <[email protected]>
Subject: Re: pgAdmin 4 || vulnerable pip modules

You don't often get email from [email protected]<mailto:[email protected]>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification;
CAUTION: This email is from an external source. Please don’t open any unknown links or attachments.
Hi Rogelio,

I checked the CVE list you shared and the package versions required to fix it. I then checked the pgAdmin venv for the actual installed versions and found them all to be newer.
What did you use to scan the CVEs in pgAdmin?

CVE ID
Package
Required Version (or newer)
Primary Action
CVE-2025-68146
filelock
v3.17.0
Upgrade to prevent symlink-based file corruption.
CVE-2025-68158
Authlib
v1.4.1
Upgrade to ensure OAuth states are strictly bound to user sessions.
CVE-2025-69277
libsodium
v1.0.21
Update the underlying C library (often via pynacl update).
CVE-2026-0994
protobuf
v5.29.3
Upgrade to enforce stricter recursion limits on nested messages.
CVE-2026-21226
azure-core
v1.31.0
Critical: Upgrade immediately to disable insecure deserialization.
CVE-2026-21441
urllib3
v2.3.1
Upgrade to fix "Decompression Bomb" handling in redirects.
CVE-2026-21860
Werkzeug
v3.1.4
Upgrade to properly sanitize Windows reserved device names.
CVE-2026-22701
filelock
v3.18.0
Upgrade to patch the SoftFileLock race condition.
CVE-2026-22702
virtualenv
v20.29.2
Upgrade to prevent symlink attacks during environment creation.
CVE-2026-23490
pyasn1
v0.6.2
Upgrade to prevent memory exhaustion from malformed OIDs.
CVE-2026-23949
jaraco.context
v6.1.0
Upgrade to fix Path Traversal (Zip Slip) in tarball().
CVE-2026-24049
wheel
v0.45.2
Upgrade to prevent unauthorized chmod calls during unpacking.
CVE-2026-26007
cryptography
v44.0.2
Critical: Upgrade to ensure validation of SECT curve points.

On Tue, Feb 17, 2026 at 9:18 PM Rogelio Villafana Sanchez <[email protected]<mailto:[email protected]>> wrote:
Hello PGAdmin support team,

Three weeks ago, we completed the upgrade of PGAdmin to v9.11, yet in our last vulnerabilities scan report, several pip modules came in the picture as vulnerable version.
As these are modules which come embedded in the site packages installer, we would like to confirm below question with you.

  1.  Any existing/coming version that fix shared CVEs?
  2.  Will it be in their roadmap. If yes when is the plan to fix it?
  3.  Can we delete those files do we see any impact?
  4.  We can see v9.12 was just released, but does this version fix the CVEs or have the modules on fixed version?
  5.  Also, we know these CVEs might be false positive if yes, please share the description.

CVE-2025-68146
CVE-2025-68158
CVE-2025-69277
CVE-2026-0994
CVE-2026-21226
CVE-2026-21441
CVE-2026-21860
CVE-2026-22701
CVE-2026-22702
CVE-2026-23490
CVE-2026-23949
CVE-2026-24049
CVE-2026-26007

Rogelio Villafaña
DevOps Specialist | ATT BSSe
[Shape    Description automatically generated with medium confidence]

This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service

--
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Sr. Staff SDE II | enterprisedb.com<https://www.enterprisedb.com/;
"Don't Complain about Heat, Plant a TREE"
This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service <https://www.amdocs.com/about/email-terms-of-service;

Attachments:

  [image/gif] image001.gif (532.0K, 3-image001.gif)
  download | view image

^ permalink  raw  reply  [nested|flat] 8+ messages in thread

* RE: pgAdmin 4 || vulnerable pip modules
@ 2026-02-19 05:22  Chetan Lohi <[email protected]>
  parent: Rogelio Villafana Sanchez <[email protected]>
  0 siblings, 1 reply; 8+ messages in thread

From: Chetan Lohi @ 2026-02-19 05:22 UTC (permalink / raw)
  To: Rogelio Villafana Sanchez <[email protected]>; Aditya Toshniwal <[email protected]>; +Cc: [email protected] <[email protected]>; Akshay Swami <[email protected]>; Manas . <[email protected]>

Hi Team,

Wiz itself does vulnerability scanning there is no additional tool involved.

Regards
Chetan Lohi

From: Rogelio Villafana Sanchez <[email protected]>
Sent: Wednesday, February 18, 2026 11:54 PM
To: Aditya Toshniwal <[email protected]>; Chetan Lohi <[email protected]>
Cc: [email protected]; Akshay Swami <[email protected]>; Manas . <[email protected]>
Subject: RE: pgAdmin 4 || vulnerable pip modules

Hello @Chetan<mailto:[email protected]>,

Could you help sharing the scan tool details used for the WIZ report?

Rogelio Villafaña
DevOps Specialist | ATT BSSe
[Shape  Description automatically generated with medium confidence]

From: Aditya Toshniwal <[email protected]<mailto:[email protected]>>
Sent: Tuesday, February 17, 2026 11:36 PM
To: Rogelio Villafana Sanchez <[email protected]<mailto:[email protected]>>
Cc: [email protected]<mailto:[email protected]>; Akshay Swami <[email protected]<mailto:[email protected]>>; Manas . <[email protected]<mailto:[email protected]>>
Subject: Re: pgAdmin 4 || vulnerable pip modules

You don't often get email from [email protected]<mailto:[email protected]>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification;
CAUTION: This email is from an external source. Please don’t open any unknown links or attachments.
Hi Rogelio,

I checked the CVE list you shared and the package versions required to fix it. I then checked the pgAdmin venv for the actual installed versions and found them all to be newer.
What did you use to scan the CVEs in pgAdmin?

CVE ID
Package
Required Version (or newer)
Primary Action
CVE-2025-68146
filelock
v3.17.0
Upgrade to prevent symlink-based file corruption.
CVE-2025-68158
Authlib
v1.4.1
Upgrade to ensure OAuth states are strictly bound to user sessions.
CVE-2025-69277
libsodium
v1.0.21
Update the underlying C library (often via pynacl update).
CVE-2026-0994
protobuf
v5.29.3
Upgrade to enforce stricter recursion limits on nested messages.
CVE-2026-21226
azure-core
v1.31.0
Critical: Upgrade immediately to disable insecure deserialization.
CVE-2026-21441
urllib3
v2.3.1
Upgrade to fix "Decompression Bomb" handling in redirects.
CVE-2026-21860
Werkzeug
v3.1.4
Upgrade to properly sanitize Windows reserved device names.
CVE-2026-22701
filelock
v3.18.0
Upgrade to patch the SoftFileLock race condition.
CVE-2026-22702
virtualenv
v20.29.2
Upgrade to prevent symlink attacks during environment creation.
CVE-2026-23490
pyasn1
v0.6.2
Upgrade to prevent memory exhaustion from malformed OIDs.
CVE-2026-23949
jaraco.context
v6.1.0
Upgrade to fix Path Traversal (Zip Slip) in tarball().
CVE-2026-24049
wheel
v0.45.2
Upgrade to prevent unauthorized chmod calls during unpacking.
CVE-2026-26007
cryptography
v44.0.2
Critical: Upgrade to ensure validation of SECT curve points.

On Tue, Feb 17, 2026 at 9:18 PM Rogelio Villafana Sanchez <[email protected]<mailto:[email protected]>> wrote:
Hello PGAdmin support team,

Three weeks ago, we completed the upgrade of PGAdmin to v9.11, yet in our last vulnerabilities scan report, several pip modules came in the picture as vulnerable version.
As these are modules which come embedded in the site packages installer, we would like to confirm below question with you.

  1.  Any existing/coming version that fix shared CVEs?
  2.  Will it be in their roadmap. If yes when is the plan to fix it?
  3.  Can we delete those files do we see any impact?
  4.  We can see v9.12 was just released, but does this version fix the CVEs or have the modules on fixed version?
  5.  Also, we know these CVEs might be false positive if yes, please share the description.

CVE-2025-68146
CVE-2025-68158
CVE-2025-69277
CVE-2026-0994
CVE-2026-21226
CVE-2026-21441
CVE-2026-21860
CVE-2026-22701
CVE-2026-22702
CVE-2026-23490
CVE-2026-23949
CVE-2026-24049
CVE-2026-26007

Rogelio Villafaña
DevOps Specialist | ATT BSSe
[Shape    Description automatically generated with medium confidence]

This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service

--
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Sr. Staff SDE II | enterprisedb.com<https://www.enterprisedb.com/;
"Don't Complain about Heat, Plant a TREE"
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer;

Amdocs Development Centre India Private Limited having CIN: U72200PN2004PTC0188320 converted into Amdocs Development Centre India LLP (A limited liability partnership with LLP Identification Number: AAI-6901 effective 28th Feb 2017)

Attachments:

  [image/gif] image001.gif (532.0K, 3-image001.gif)
  download | view image

^ permalink  raw  reply  [nested|flat] 8+ messages in thread

* RE: pgAdmin 4 || vulnerable pip modules
@ 2026-02-19 15:05  Rogelio Villafana Sanchez <[email protected]>
  parent: Chetan Lohi <[email protected]>
  0 siblings, 1 reply; 8+ messages in thread

From: Rogelio Villafana Sanchez @ 2026-02-19 15:05 UTC (permalink / raw)
  To: Chetan Lohi <[email protected]>; Aditya Toshniwal <[email protected]>; +Cc: [email protected] <[email protected]>; Akshay Swami <[email protected]>; Manas . <[email protected]>

Thanks, Chetan!

Hi @Aditya Toshniwal<mailto:[email protected]>, the only tool used its WIZ.

Rogelio Villafaña
DevOps Specialist | ATT BSSe
[Shape  Description automatically generated with medium confidence]

From: Chetan Lohi <[email protected]>
Sent: Wednesday, February 18, 2026 11:22 PM
To: Rogelio Villafana Sanchez <[email protected]>; Aditya Toshniwal <[email protected]>
Cc: [email protected]; Akshay Swami <[email protected]>; Manas . <[email protected]>
Subject: RE: pgAdmin 4 || vulnerable pip modules

Hi Team,

Wiz itself does vulnerability scanning there is no additional tool involved.

Regards
Chetan Lohi

From: Rogelio Villafana Sanchez <[email protected]<mailto:[email protected]>>
Sent: Wednesday, February 18, 2026 11:54 PM
To: Aditya Toshniwal <[email protected]<mailto:[email protected]>>; Chetan Lohi <[email protected]<mailto:[email protected]>>
Cc: [email protected]<mailto:[email protected]>; Akshay Swami <[email protected]<mailto:[email protected]>>; Manas . <[email protected]<mailto:[email protected]>>
Subject: RE: pgAdmin 4 || vulnerable pip modules

Hello @Chetan<mailto:[email protected]>,

Could you help sharing the scan tool details used for the WIZ report?

Rogelio Villafaña
DevOps Specialist | ATT BSSe
[Shape  Description automatically generated with medium confidence]

From: Aditya Toshniwal <[email protected]<mailto:[email protected]>>
Sent: Tuesday, February 17, 2026 11:36 PM
To: Rogelio Villafana Sanchez <[email protected]<mailto:[email protected]>>
Cc: [email protected]<mailto:[email protected]>; Akshay Swami <[email protected]<mailto:[email protected]>>; Manas . <[email protected]<mailto:[email protected]>>
Subject: Re: pgAdmin 4 || vulnerable pip modules

You don't often get email from [email protected]<mailto:[email protected]>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification;
CAUTION: This email is from an external source. Please don’t open any unknown links or attachments.
Hi Rogelio,

I checked the CVE list you shared and the package versions required to fix it. I then checked the pgAdmin venv for the actual installed versions and found them all to be newer.
What did you use to scan the CVEs in pgAdmin?

CVE ID
Package
Required Version (or newer)
Primary Action
CVE-2025-68146
filelock
v3.17.0
Upgrade to prevent symlink-based file corruption.
CVE-2025-68158
Authlib
v1.4.1
Upgrade to ensure OAuth states are strictly bound to user sessions.
CVE-2025-69277
libsodium
v1.0.21
Update the underlying C library (often via pynacl update).
CVE-2026-0994
protobuf
v5.29.3
Upgrade to enforce stricter recursion limits on nested messages.
CVE-2026-21226
azure-core
v1.31.0
Critical: Upgrade immediately to disable insecure deserialization.
CVE-2026-21441
urllib3
v2.3.1
Upgrade to fix "Decompression Bomb" handling in redirects.
CVE-2026-21860
Werkzeug
v3.1.4
Upgrade to properly sanitize Windows reserved device names.
CVE-2026-22701
filelock
v3.18.0
Upgrade to patch the SoftFileLock race condition.
CVE-2026-22702
virtualenv
v20.29.2
Upgrade to prevent symlink attacks during environment creation.
CVE-2026-23490
pyasn1
v0.6.2
Upgrade to prevent memory exhaustion from malformed OIDs.
CVE-2026-23949
jaraco.context
v6.1.0
Upgrade to fix Path Traversal (Zip Slip) in tarball().
CVE-2026-24049
wheel
v0.45.2
Upgrade to prevent unauthorized chmod calls during unpacking.
CVE-2026-26007
cryptography
v44.0.2
Critical: Upgrade to ensure validation of SECT curve points.

On Tue, Feb 17, 2026 at 9:18 PM Rogelio Villafana Sanchez <[email protected]<mailto:[email protected]>> wrote:
Hello PGAdmin support team,

Three weeks ago, we completed the upgrade of PGAdmin to v9.11, yet in our last vulnerabilities scan report, several pip modules came in the picture as vulnerable version.
As these are modules which come embedded in the site packages installer, we would like to confirm below question with you.

  1.  Any existing/coming version that fix shared CVEs?
  2.  Will it be in their roadmap. If yes when is the plan to fix it?
  3.  Can we delete those files do we see any impact?
  4.  We can see v9.12 was just released, but does this version fix the CVEs or have the modules on fixed version?
  5.  Also, we know these CVEs might be false positive if yes, please share the description.

CVE-2025-68146
CVE-2025-68158
CVE-2025-69277
CVE-2026-0994
CVE-2026-21226
CVE-2026-21441
CVE-2026-21860
CVE-2026-22701
CVE-2026-22702
CVE-2026-23490
CVE-2026-23949
CVE-2026-24049
CVE-2026-26007

Rogelio Villafaña
DevOps Specialist | ATT BSSe
[Shape    Description automatically generated with medium confidence]

This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service

--
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Sr. Staff SDE II | enterprisedb.com<https://www.enterprisedb.com/;
"Don't Complain about Heat, Plant a TREE"
This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service <https://www.amdocs.com/about/email-terms-of-service;

Attachments:

  [image/gif] image001.gif (532.0K, 3-image001.gif)
  download | view image

^ permalink  raw  reply  [nested|flat] 8+ messages in thread

* Re: pgAdmin 4 || vulnerable pip modules
@ 2026-02-23 09:07  Aditya Toshniwal <[email protected]>
  parent: Rogelio Villafana Sanchez <[email protected]>
  0 siblings, 1 reply; 8+ messages in thread

From: Aditya Toshniwal @ 2026-02-23 09:07 UTC (permalink / raw)
  To: Rogelio Villafana Sanchez <[email protected]>; +Cc: Chetan Lohi <[email protected]>; [email protected] <[email protected]>; Akshay Swami <[email protected]>; Manas . <[email protected]>

Hi Rogelio,

We've already checked the mentioned CVEs in the latest version. I'm not
sure how WIZ works.

On Thu, Feb 19, 2026 at 8:35 PM Rogelio Villafana Sanchez <
[email protected]> wrote:

> Thanks, Chetan!
>
>
>
> Hi @Aditya Toshniwal <[email protected]>, the only tool
> used its WIZ.
>
>
>
>
>
> *Rogelio Villafaña*
>
> DevOps Specialist | ATT BSSe
>
> [image: Shape Description automatically generated with medium confidence]
>
>
>
> *From:* Chetan Lohi <[email protected]>
> *Sent:* Wednesday, February 18, 2026 11:22 PM
> *To:* Rogelio Villafana Sanchez <[email protected]>; Aditya
> Toshniwal <[email protected]>
> *Cc:* [email protected]; Akshay Swami <
> [email protected]>; Manas . <[email protected]>
> *Subject:* RE: pgAdmin 4 || vulnerable pip modules
>
>
>
> Hi Team,
>
>
>
> Wiz itself does vulnerability scanning there is no additional tool
> involved.
>
>
>
> Regards
>
> Chetan Lohi
>
>
>
> *From:* Rogelio Villafana Sanchez <[email protected]>
> *Sent:* Wednesday, February 18, 2026 11:54 PM
> *To:* Aditya Toshniwal <[email protected]>; Chetan Lohi <
> [email protected]>
> *Cc:* [email protected]; Akshay Swami <
> [email protected]>; Manas . <[email protected]>
> *Subject:* RE: pgAdmin 4 || vulnerable pip modules
>
>
>
> Hello @Chetan <[email protected]>,
>
>
>
> Could you help sharing the scan tool details used for the WIZ report?
>
>
>
>
>
> *Rogelio Villafaña*
>
> DevOps Specialist | ATT BSSe
>
> [image: Shape Description automatically generated with medium confidence]
>
>
>
> *From:* Aditya Toshniwal <[email protected]>
> *Sent:* Tuesday, February 17, 2026 11:36 PM
> *To:* Rogelio Villafana Sanchez <[email protected]>
> *Cc:* [email protected]; Akshay Swami <
> [email protected]>; Manas . <[email protected]>
> *Subject:* Re: pgAdmin 4 || vulnerable pip modules
>
>
>
> You don't often get email from [email protected]. Learn
> why this is important <https://aka.ms/LearnAboutSenderIdentification;
>
> *CAUTION:* This email is from an external source. Please don’t open any
> unknown links or attachments.
>
> Hi Rogelio,
>
>
>
> I checked the CVE list you shared and the package versions required to fix
> it. I then checked the pgAdmin venv for the actual installed versions and
> found them all to be newer.
>
> What did you use to scan the CVEs in pgAdmin?
>
>
>
> *CVE ID*
>
> *Package*
>
> *Required Version (or newer)*
>
> *Primary Action*
>
> *CVE-2025-68146*
>
> filelock
>
> *v3.17.0*
>
> Upgrade to prevent symlink-based file corruption.
>
> *CVE-2025-68158*
>
> Authlib
>
> *v1.4.1*
>
> Upgrade to ensure OAuth states are strictly bound to user sessions.
>
> *CVE-2025-69277*
>
> libsodium
>
> *v1.0.21*
>
> Update the underlying C library (often via pynacl update).
>
> *CVE-2026-0994*
>
> protobuf
>
> *v5.29.3*
>
> Upgrade to enforce stricter recursion limits on nested messages.
>
> *CVE-2026-21226*
>
> azure-core
>
> *v1.31.0*
>
> *Critical:* Upgrade immediately to disable insecure deserialization.
>
> *CVE-2026-21441*
>
> urllib3
>
> *v2.3.1*
>
> Upgrade to fix "Decompression Bomb" handling in redirects.
>
> *CVE-2026-21860*
>
> Werkzeug
>
> *v3.1.4*
>
> Upgrade to properly sanitize Windows reserved device names.
>
> *CVE-2026-22701*
>
> filelock
>
> *v3.18.0*
>
> Upgrade to patch the SoftFileLock race condition.
>
> *CVE-2026-22702*
>
> virtualenv
>
> *v20.29.2*
>
> Upgrade to prevent symlink attacks during environment creation.
>
> *CVE-2026-23490*
>
> pyasn1
>
> *v0.6.2*
>
> Upgrade to prevent memory exhaustion from malformed OIDs.
>
> *CVE-2026-23949*
>
> jaraco.context
>
> *v6.1.0*
>
> Upgrade to fix Path Traversal (Zip Slip) in tarball().
>
> *CVE-2026-24049*
>
> wheel
>
> *v0.45.2*
>
> Upgrade to prevent unauthorized chmod calls during unpacking.
>
> *CVE-2026-26007*
>
> cryptography
>
> *v44.0.2*
>
> *Critical:* Upgrade to ensure validation of SECT curve points.
>
>
>
> On Tue, Feb 17, 2026 at 9:18 PM Rogelio Villafana Sanchez <
> [email protected]> wrote:
>
> Hello PGAdmin support team,
>
>
>
> Three weeks ago, we completed the upgrade of PGAdmin to v9.11, yet in our
> last vulnerabilities scan report, several pip modules came in the picture
> as vulnerable version.
>
> As these are modules which come embedded in the site packages installer,
> we would like to confirm below question with you.
>
>
>
>    1. Any existing/coming version that fix shared CVEs?
>    2. Will it be in their roadmap. If yes when is the plan to fix it?
>    3. Can we delete those files do we see any impact?
>    4. We can see v9.12 was just released, but does this version fix the
>    CVEs or have the modules on fixed version?
>    5. Also, we know these CVEs might be false positive if yes, please
>    share the description.
>
>
>
> CVE-2025-68146
> CVE-2025-68158
> CVE-2025-69277
> CVE-2026-0994
> CVE-2026-21226
> CVE-2026-21441
> CVE-2026-21860
> CVE-2026-22701
> CVE-2026-22702
> CVE-2026-23490
> CVE-2026-23949
> CVE-2026-24049
> CVE-2026-26007
>
>
>
> *Rogelio Villafaña*
>
> DevOps Specialist | ATT BSSe
>
> [image: Shape Description automatically generated with medium confidence]
>
>
>
> *This email and the information contained herein is proprietary and
> confidential and subject to the Amdocs Email Terms of Service, which you
> may review at* *https://www.amdocs.com/about/email-terms-of-service*
> <https://www.amdocs.com/about/email-terms-of-service;
>
>
>
>
> --
>
> Thanks,
>
> Aditya Toshniwal
>
> pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com*
> <https://www.enterprisedb.com/;
>
> "Don't Complain about Heat, Plant a TREE"
>
> *This email and the information contained herein is proprietary and
> confidential and subject to the Amdocs Email Terms of Service, which you
> may review at* *https://www.amdocs.com/about/email-terms-of-service*
> <https://www.amdocs.com/about/email-terms-of-service;
>


-- 
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com*
<https://www.enterprisedb.com/;
"Don't Complain about Heat, Plant a TREE"


Attachments:

  [image/gif] image001.gif (532.0K, 3-image001.gif)
  download | view image

^ permalink  raw  reply  [nested|flat] 8+ messages in thread

* RE: pgAdmin 4 || vulnerable pip modules
@ 2026-02-23 19:32  Rogelio Villafana Sanchez <[email protected]>
  parent: Aditya Toshniwal <[email protected]>
  0 siblings, 1 reply; 8+ messages in thread

From: Rogelio Villafana Sanchez @ 2026-02-23 19:32 UTC (permalink / raw)
  To: Aditya Toshniwal <[email protected]>; +Cc: Chetan Lohi <[email protected]>; [email protected] <[email protected]>; Akshay Swami <[email protected]>; Manas . <[email protected]>

Hello @Aditya<mailto:[email protected]>,

Means all mentioned CVEs are fixed on specific PgAdmin version?

Rogelio Villafaña
DevOps Specialist | ATT BSSe
[Shape  Description automatically generated with medium confidence]

From: Aditya Toshniwal <[email protected]>
Sent: Monday, February 23, 2026 3:08 AM
To: Rogelio Villafana Sanchez <[email protected]>
Cc: Chetan Lohi <[email protected]>; [email protected]; Akshay Swami <[email protected]>; Manas . <[email protected]>
Subject: Re: pgAdmin 4 || vulnerable pip modules

CAUTION: This email is from an external source. Please don’t open any unknown links or attachments.
Hi Rogelio,

We've already checked the mentioned CVEs in the latest version. I'm not sure how WIZ works.

On Thu, Feb 19, 2026 at 8:35 PM Rogelio Villafana Sanchez <[email protected]<mailto:[email protected]>> wrote:
Thanks, Chetan!

Hi @Aditya Toshniwal<mailto:[email protected]>, the only tool used its WIZ.

Rogelio Villafaña
DevOps Specialist | ATT BSSe
[Shape    Description automatically generated with medium confidence]

From: Chetan Lohi <[email protected]<mailto:[email protected]>>
Sent: Wednesday, February 18, 2026 11:22 PM
To: Rogelio Villafana Sanchez <[email protected]<mailto:[email protected]>>; Aditya Toshniwal <[email protected]<mailto:[email protected]>>
Cc: [email protected]<mailto:[email protected]>; Akshay Swami <[email protected]<mailto:[email protected]>>; Manas . <[email protected]<mailto:[email protected]>>
Subject: RE: pgAdmin 4 || vulnerable pip modules

Hi Team,

Wiz itself does vulnerability scanning there is no additional tool involved.

Regards
Chetan Lohi

From: Rogelio Villafana Sanchez <[email protected]<mailto:[email protected]>>
Sent: Wednesday, February 18, 2026 11:54 PM
To: Aditya Toshniwal <[email protected]<mailto:[email protected]>>; Chetan Lohi <[email protected]<mailto:[email protected]>>
Cc: [email protected]<mailto:[email protected]>; Akshay Swami <[email protected]<mailto:[email protected]>>; Manas . <[email protected]<mailto:[email protected]>>
Subject: RE: pgAdmin 4 || vulnerable pip modules

Hello @Chetan<mailto:[email protected]>,

Could you help sharing the scan tool details used for the WIZ report?

Rogelio Villafaña
DevOps Specialist | ATT BSSe
[Shape    Description automatically generated with medium confidence]

From: Aditya Toshniwal <[email protected]<mailto:[email protected]>>
Sent: Tuesday, February 17, 2026 11:36 PM
To: Rogelio Villafana Sanchez <[email protected]<mailto:[email protected]>>
Cc: [email protected]<mailto:[email protected]>; Akshay Swami <[email protected]<mailto:[email protected]>>; Manas . <[email protected]<mailto:[email protected]>>
Subject: Re: pgAdmin 4 || vulnerable pip modules

You don't often get email from [email protected]<mailto:[email protected]>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification;
CAUTION: This email is from an external source. Please don’t open any unknown links or attachments.
Hi Rogelio,

I checked the CVE list you shared and the package versions required to fix it. I then checked the pgAdmin venv for the actual installed versions and found them all to be newer.
What did you use to scan the CVEs in pgAdmin?

CVE ID
Package
Required Version (or newer)
Primary Action
CVE-2025-68146
filelock
v3.17.0
Upgrade to prevent symlink-based file corruption.
CVE-2025-68158
Authlib
v1.4.1
Upgrade to ensure OAuth states are strictly bound to user sessions.
CVE-2025-69277
libsodium
v1.0.21
Update the underlying C library (often via pynacl update).
CVE-2026-0994
protobuf
v5.29.3
Upgrade to enforce stricter recursion limits on nested messages.
CVE-2026-21226
azure-core
v1.31.0
Critical: Upgrade immediately to disable insecure deserialization.
CVE-2026-21441
urllib3
v2.3.1
Upgrade to fix "Decompression Bomb" handling in redirects.
CVE-2026-21860
Werkzeug
v3.1.4
Upgrade to properly sanitize Windows reserved device names.
CVE-2026-22701
filelock
v3.18.0
Upgrade to patch the SoftFileLock race condition.
CVE-2026-22702
virtualenv
v20.29.2
Upgrade to prevent symlink attacks during environment creation.
CVE-2026-23490
pyasn1
v0.6.2
Upgrade to prevent memory exhaustion from malformed OIDs.
CVE-2026-23949
jaraco.context
v6.1.0
Upgrade to fix Path Traversal (Zip Slip) in tarball().
CVE-2026-24049
wheel
v0.45.2
Upgrade to prevent unauthorized chmod calls during unpacking.
CVE-2026-26007
cryptography
v44.0.2
Critical: Upgrade to ensure validation of SECT curve points.

On Tue, Feb 17, 2026 at 9:18 PM Rogelio Villafana Sanchez <[email protected]<mailto:[email protected]>> wrote:
Hello PGAdmin support team,

Three weeks ago, we completed the upgrade of PGAdmin to v9.11, yet in our last vulnerabilities scan report, several pip modules came in the picture as vulnerable version.
As these are modules which come embedded in the site packages installer, we would like to confirm below question with you.

  1.  Any existing/coming version that fix shared CVEs?
  2.  Will it be in their roadmap. If yes when is the plan to fix it?
  3.  Can we delete those files do we see any impact?
  4.  We can see v9.12 was just released, but does this version fix the CVEs or have the modules on fixed version?
  5.  Also, we know these CVEs might be false positive if yes, please share the description.

CVE-2025-68146
CVE-2025-68158
CVE-2025-69277
CVE-2026-0994
CVE-2026-21226
CVE-2026-21441
CVE-2026-21860
CVE-2026-22701
CVE-2026-22702
CVE-2026-23490
CVE-2026-23949
CVE-2026-24049
CVE-2026-26007

Rogelio Villafaña
DevOps Specialist | ATT BSSe
[Shape    Description automatically generated with medium confidence]

This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service

--
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Sr. Staff SDE II | enterprisedb.com<https://www.enterprisedb.com/;
"Don't Complain about Heat, Plant a TREE"
This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service

--
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Sr. Staff SDE II | enterprisedb.com<https://www.enterprisedb.com/;
"Don't Complain about Heat, Plant a TREE"
This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service <https://www.amdocs.com/about/email-terms-of-service;

Attachments:

  [image/gif] image001.gif (532.0K, 3-image001.gif)
  download | view image

^ permalink  raw  reply  [nested|flat] 8+ messages in thread

* Re: pgAdmin 4 || vulnerable pip modules
@ 2026-02-24 04:56  Aditya Toshniwal <[email protected]>
  parent: Rogelio Villafana Sanchez <[email protected]>
  0 siblings, 0 replies; 8+ messages in thread

From: Aditya Toshniwal @ 2026-02-24 04:56 UTC (permalink / raw)
  To: Rogelio Villafana Sanchez <[email protected]>; +Cc: Chetan Lohi <[email protected]>; [email protected] <[email protected]>; Akshay Swami <[email protected]>; Manas . <[email protected]>

Hi Rogelio,

I didn't find any.

On Tue, Feb 24, 2026 at 1:02 AM Rogelio Villafana Sanchez <
[email protected]> wrote:

> Hello @Aditya <[email protected]>,
>
>
>
> Means all mentioned CVEs are fixed on specific PgAdmin version?
>
>
>
>
>
> *Rogelio Villafaña*
>
> DevOps Specialist | ATT BSSe
>
> [image: Shape Description automatically generated with medium confidence]
>
>
>
> *From:* Aditya Toshniwal <[email protected]>
> *Sent:* Monday, February 23, 2026 3:08 AM
> *To:* Rogelio Villafana Sanchez <[email protected]>
> *Cc:* Chetan Lohi <[email protected]>;
> [email protected]; Akshay Swami <[email protected]>;
> Manas . <[email protected]>
> *Subject:* Re: pgAdmin 4 || vulnerable pip modules
>
>
>
> *CAUTION:* This email is from an external source. Please don’t open any
> unknown links or attachments.
>
> Hi Rogelio,
>
>
>
> We've already checked the mentioned CVEs in the latest version. I'm not
> sure how WIZ works.
>
>
>
> On Thu, Feb 19, 2026 at 8:35 PM Rogelio Villafana Sanchez <
> [email protected]> wrote:
>
> Thanks, Chetan!
>
>
>
> Hi @Aditya Toshniwal <[email protected]>, the only tool
> used its WIZ.
>
>
>
>
>
> *Rogelio Villafaña*
>
> DevOps Specialist | ATT BSSe
>
> [image: Shape Description automatically generated with medium confidence]
>
>
>
> *From:* Chetan Lohi <[email protected]>
> *Sent:* Wednesday, February 18, 2026 11:22 PM
> *To:* Rogelio Villafana Sanchez <[email protected]>; Aditya
> Toshniwal <[email protected]>
> *Cc:* [email protected]; Akshay Swami <
> [email protected]>; Manas . <[email protected]>
> *Subject:* RE: pgAdmin 4 || vulnerable pip modules
>
>
>
> Hi Team,
>
>
>
> Wiz itself does vulnerability scanning there is no additional tool
> involved.
>
>
>
> Regards
>
> Chetan Lohi
>
>
>
> *From:* Rogelio Villafana Sanchez <[email protected]>
> *Sent:* Wednesday, February 18, 2026 11:54 PM
> *To:* Aditya Toshniwal <[email protected]>; Chetan Lohi <
> [email protected]>
> *Cc:* [email protected]; Akshay Swami <
> [email protected]>; Manas . <[email protected]>
> *Subject:* RE: pgAdmin 4 || vulnerable pip modules
>
>
>
> Hello @Chetan <[email protected]>,
>
>
>
> Could you help sharing the scan tool details used for the WIZ report?
>
>
>
>
>
> *Rogelio Villafaña*
>
> DevOps Specialist | ATT BSSe
>
> [image: Shape Description automatically generated with medium confidence]
>
>
>
> *From:* Aditya Toshniwal <[email protected]>
> *Sent:* Tuesday, February 17, 2026 11:36 PM
> *To:* Rogelio Villafana Sanchez <[email protected]>
> *Cc:* [email protected]; Akshay Swami <
> [email protected]>; Manas . <[email protected]>
> *Subject:* Re: pgAdmin 4 || vulnerable pip modules
>
>
>
> You don't often get email from [email protected]. Learn
> why this is important <https://aka.ms/LearnAboutSenderIdentification;
>
> *CAUTION:* This email is from an external source. Please don’t open any
> unknown links or attachments.
>
> Hi Rogelio,
>
>
>
> I checked the CVE list you shared and the package versions required to fix
> it. I then checked the pgAdmin venv for the actual installed versions and
> found them all to be newer.
>
> What did you use to scan the CVEs in pgAdmin?
>
>
>
> *CVE ID*
>
> *Package*
>
> *Required Version (or newer)*
>
> *Primary Action*
>
> *CVE-2025-68146*
>
> filelock
>
> *v3.17.0*
>
> Upgrade to prevent symlink-based file corruption.
>
> *CVE-2025-68158*
>
> Authlib
>
> *v1.4.1*
>
> Upgrade to ensure OAuth states are strictly bound to user sessions.
>
> *CVE-2025-69277*
>
> libsodium
>
> *v1.0.21*
>
> Update the underlying C library (often via pynacl update).
>
> *CVE-2026-0994*
>
> protobuf
>
> *v5.29.3*
>
> Upgrade to enforce stricter recursion limits on nested messages.
>
> *CVE-2026-21226*
>
> azure-core
>
> *v1.31.0*
>
> *Critical:* Upgrade immediately to disable insecure deserialization.
>
> *CVE-2026-21441*
>
> urllib3
>
> *v2.3.1*
>
> Upgrade to fix "Decompression Bomb" handling in redirects.
>
> *CVE-2026-21860*
>
> Werkzeug
>
> *v3.1.4*
>
> Upgrade to properly sanitize Windows reserved device names.
>
> *CVE-2026-22701*
>
> filelock
>
> *v3.18.0*
>
> Upgrade to patch the SoftFileLock race condition.
>
> *CVE-2026-22702*
>
> virtualenv
>
> *v20.29.2*
>
> Upgrade to prevent symlink attacks during environment creation.
>
> *CVE-2026-23490*
>
> pyasn1
>
> *v0.6.2*
>
> Upgrade to prevent memory exhaustion from malformed OIDs.
>
> *CVE-2026-23949*
>
> jaraco.context
>
> *v6.1.0*
>
> Upgrade to fix Path Traversal (Zip Slip) in tarball().
>
> *CVE-2026-24049*
>
> wheel
>
> *v0.45.2*
>
> Upgrade to prevent unauthorized chmod calls during unpacking.
>
> *CVE-2026-26007*
>
> cryptography
>
> *v44.0.2*
>
> *Critical:* Upgrade to ensure validation of SECT curve points.
>
>
>
> On Tue, Feb 17, 2026 at 9:18 PM Rogelio Villafana Sanchez <
> [email protected]> wrote:
>
> Hello PGAdmin support team,
>
>
>
> Three weeks ago, we completed the upgrade of PGAdmin to v9.11, yet in our
> last vulnerabilities scan report, several pip modules came in the picture
> as vulnerable version.
>
> As these are modules which come embedded in the site packages installer,
> we would like to confirm below question with you.
>
>
>
>    1. Any existing/coming version that fix shared CVEs?
>    2. Will it be in their roadmap. If yes when is the plan to fix it?
>    3. Can we delete those files do we see any impact?
>    4. We can see v9.12 was just released, but does this version fix the
>    CVEs or have the modules on fixed version?
>    5. Also, we know these CVEs might be false positive if yes, please
>    share the description.
>
>
>
> CVE-2025-68146
> CVE-2025-68158
> CVE-2025-69277
> CVE-2026-0994
> CVE-2026-21226
> CVE-2026-21441
> CVE-2026-21860
> CVE-2026-22701
> CVE-2026-22702
> CVE-2026-23490
> CVE-2026-23949
> CVE-2026-24049
> CVE-2026-26007
>
>
>
> *Rogelio Villafaña*
>
> DevOps Specialist | ATT BSSe
>
> [image: Shape Description automatically generated with medium confidence]
>
>
>
> *This email and the information contained herein is proprietary and
> confidential and subject to the Amdocs Email Terms of Service, which you
> may review at* *https://www.amdocs.com/about/email-terms-of-service*
> <https://www.amdocs.com/about/email-terms-of-service;
>
>
>
>
> --
>
> Thanks,
>
> Aditya Toshniwal
>
> pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com*
> <https://www.enterprisedb.com/;
>
> "Don't Complain about Heat, Plant a TREE"
>
> *This email and the information contained herein is proprietary and
> confidential and subject to the Amdocs Email Terms of Service, which you
> may review at* *https://www.amdocs.com/about/email-terms-of-service*
> <https://www.amdocs.com/about/email-terms-of-service;
>
>
>
>
> --
>
> Thanks,
>
> Aditya Toshniwal
>
> pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com*
> <https://www.enterprisedb.com/;
>
> "Don't Complain about Heat, Plant a TREE"
>
> *This email and the information contained herein is proprietary and
> confidential and subject to the Amdocs Email Terms of Service, which you
> may review at* *https://www.amdocs.com/about/email-terms-of-service*
> <https://www.amdocs.com/about/email-terms-of-service;
>


-- 
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com*
<https://www.enterprisedb.com/;
"Don't Complain about Heat, Plant a TREE"


Attachments:

  [image/gif] image001.gif (532.0K, 3-image001.gif)
  download | view image

^ permalink  raw  reply  [nested|flat] 8+ messages in thread

end of thread, other threads:[~2026-02-24 04:56 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2026-02-16 19:40 pgAdmin 4 || vulnerable pip modules Rogelio Villafana Sanchez <[email protected]>
2026-02-18 05:35 ` Aditya Toshniwal <[email protected]>
2026-02-18 18:23   ` Rogelio Villafana Sanchez <[email protected]>
2026-02-19 05:22     ` Chetan Lohi <[email protected]>
2026-02-19 15:05       ` Rogelio Villafana Sanchez <[email protected]>
2026-02-23 09:07         ` Aditya Toshniwal <[email protected]>
2026-02-23 19:32           ` Rogelio Villafana Sanchez <[email protected]>
2026-02-24 04:56             ` Aditya Toshniwal <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox