public inbox for [email protected]  
help / color / mirror / Atom feed
pgAdmin 4 v9.16 Released
3+ messages / 3 participants
[nested] [flat]

* pgAdmin 4 v9.16 Released
@ 2026-06-18 14:51  Ashesh Vashi <[email protected]>
  0 siblings, 1 reply; 3+ messages in thread

From: Ashesh Vashi @ 2026-06-18 14:51 UTC (permalink / raw)
  To: pgadmin-support

The pgAdmin Development Team is pleased to announce pgAdmin 4 version 9.16.

This release of pgAdmin 4 includes 64 bug fixes and new features. For more
details please see the release notes at:

https://www.pgadmin.org/docs/pgadmin4/9.16/release_notes_9_16.html

pgAdmin is the leading Open Source graphical management tool for
PostgreSQL. For more information, please see:

https://www.pgadmin.org/

Notable changes in this release include:

*Features:*

* Add an option to colourize panel and tab headers based on the connected
server's colour, making it easier to tell which server a tab is connected
to at a glance.
* Add a "Back to login" link to the Forgot Password and Reset Password
pages.
* Add support for the TOAST tuple target storage parameter in the
Materialized View dialog.
* Make the init container security context in the Helm chart configurable
via containerSecurityContext, consistent with the main container.
* Add support for closing a tab with a middle-click on its title.
* Allow the OAuth2 login button icon to use any Font Awesome style (e.g.
fas fa-key), not only brand icons.

*Bugs/Housekeeping:*

* Fix SQL injection across sixteen dialog templates that rendered COMMENT
ON ... IS '<description>' and the related pgstattuple/pgstatindex stats
sinks; switches the affected templates to qtLiteral and rewrites the stats
calls to pass the relation OID via a ::oid::regclass cast (CVE-2026-12044).
* Fix the AI Assistant read-only transaction bypass that allowed
prompt-injected multi-statement payloads to commit out of the READ ONLY
wrapper and execute arbitrary SQL, chaining to RCE via COPY ... TO PROGRAM
on a superuser connection (CVE-2026-12045).
* Fix two SQL Editor endpoints (close and update_connection) missing the
@pga_login_required decorator, making them reachable without authentication
in server mode and exposing a pickle deserialization sink (CVE-2026-12046).
* Fix HTML injection in the cloud deployment module (RDS, Azure, Google)
where SDK exception text was forwarded to the browser unsanitised and
rendered through html-react-parser in the Cloud Wizard (CVE-2026-12047).
* Fix critical stored cross-site scripting where PostgreSQL server error
text and Explain plan-node content passed through html-react-parser across
notifier toasts, form errors, modal alerts, and the Explain visualiser;
under pgAdmin's default Content-Security-Policy, injected script ran
same-origin to the victim's session and could exfiltrate saved server
credentials and issue SQL against every connected server (CVE-2026-12048).
* Fix the open redirect in the multi-factor authentication flow via an
unvalidated next parameter (CVE-2026-12049).
* Fix SQL injection in the named restore point endpoint where the
user-supplied restore point name was interpolated into SQL via str.format()
instead of being passed as a bound parameter (CVE-2026-12050).
* Remove the administrator-role bypass from the server-access helpers so
the access-control checks added in 9.15 (CVE-2026-7813) are enforced
uniformly. The Administrator role manages pgAdmin itself, not other users'
database connections.
* Remove the EDB BigAnimal cloud deployment support, which was deprecated
in 9.15.
* Preserve jsonb number representation in the JSON editor so trailing
fractional zeros and large integers are no longer rewritten when saving
unmodified rows.
* Fix a View/Edit Data crash when the session contains a transaction object
that is not filter-capable (e.g. left by the Query Tool or persisted by an
older version), which could prevent the desktop application from loading
after an upgrade.
* Rebase the version-specific SQL templates so the default targets
PostgreSQL 14, the oldest supported server version, dropping the obsolete
sub-14 template buckets.
* Strip the foreign-architecture slice from the macOS bundle so single-arch
builds no longer ship the universal2 Python framework's unused arm64/x86_64
code.
* Bump Electron in the desktop runtime to 42.3.3 and pin the packaged
Electron version, bump cryptography to 49.0 and other Python and JavaScript
dependencies via the dependabot batch.
* Update the Italian translation.

Builds for Windows and macOS are available now, along with a Python Wheel,
Docker Container, RPM, DEB Package, and source code tarball from:
https://www.pgadmin.org/download/

*Deprecation Notice: pgAgent*

pgAgent has been deprecated and will be discontinued. The pgAgent will be
removed from the website within one month. Support for pgAgent within
pgAdmin will be removed in a future release approximately six months from
now.
Users are encouraged to migrate to an alternative job scheduling solution
before support is removed.

---
Ashesh Vashi

pgAdmin Project


^ permalink  raw  reply  [nested|flat] 3+ messages in thread

* Re: pgAdmin 4 v9.16 Released
@ 2026-06-26 18:32  Frank Limpert <[email protected]>
  parent: Ashesh Vashi <[email protected]>
  0 siblings, 1 reply; 3+ messages in thread

From: Frank Limpert @ 2026-06-26 18:32 UTC (permalink / raw)
  To: pgadmin-support

Dear pgAdmin Team,

When and where was pgAgent deprecated? This is the first notice that 
reaches me. Are there any active forks of your code that you would 
recommend?

My database project relies havily on pgAgent. Is there a place where I 
can learn about alternatives?

Happy computing...
Frank Limpert

Am 18.06.26 um 16:51 schrieb Ashesh Vashi:
> The pgAdmin Development Team is pleased to announce pgAdmin 4 version 
> 9.16.
>
> -- 8< ---- 8< ---- 8< ---- 8< --
> *Deprecation Notice: pgAgent*
>
> pgAgent has been deprecated and will be discontinued. The pgAgent will 
> be removed from the website within one month. Support for pgAgent 
> within pgAdmin will be removed in a future release approximately six 
> months from now.
> Users are encouraged to migrate to an alternative job scheduling 
> solution before support is removed.
>
> ---
> Ashesh Vashi
>
> pgAdmin Project


^ permalink  raw  reply  [nested|flat] 3+ messages in thread

* Re: pgAdmin 4 v9.16 Released
@ 2026-06-26 23:55  Anthony DeBarros <[email protected]>
  parent: Frank Limpert <[email protected]>
  0 siblings, 0 replies; 3+ messages in thread

From: Anthony DeBarros @ 2026-06-26 23:55 UTC (permalink / raw)
  To: Frank Limpert <[email protected]>; +Cc: pgadmin-support

On Jun 26, 2026 at 2:32:57 PM, Frank Limpert <[email protected]>
wrote:

> Dear pgAdmin Team,
>
> When and where was pgAgent deprecated? This is the first notice that
> reaches me. Are there any active forks of your code that you would
> recommend?
>
> My database project relies havily on pgAgent. Is there a place where I can
> learn about alternatives?
>
>
I’ve heard some people mention
https://github.com/cybertec-postgresql/pg_timetable
Also: https://github.com/citusdata/pg_cron


^ permalink  raw  reply  [nested|flat] 3+ messages in thread


end of thread, other threads:[~2026-06-26 23:55 UTC | newest]

Thread overview: 3+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2026-06-18 14:51 pgAdmin 4 v9.16 Released Ashesh Vashi <[email protected]>
2026-06-26 18:32 ` Frank Limpert <[email protected]>
2026-06-26 23:55   ` Anthony DeBarros <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox