Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1waNO2-001kyR-1T for pgsql-announce@arkaria.postgresql.org; Fri, 19 Jun 2026 00:47:10 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1waNO1-00EECK-1G for pgsql-announce@arkaria.postgresql.org; Fri, 19 Jun 2026 00:47:09 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1waNO0-00EEBU-14 for pgsql-announce@lists.postgresql.org; Fri, 19 Jun 2026 00:47:08 +0000 Received: from mahout.postgresql.org ([2001:4800:3e1:1::227]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1waNNy-000000013pC-0uE0 for pgsql-announce@lists.postgresql.org; Fri, 19 Jun 2026 00:47:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=postgresql.org; s=20171124; h=Message-ID:Date:Reply-To:From:To:Subject: MIME-Version:Content-Type:Sender:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:In-Reply-To:References; bh=5Q6bUBqC4Smhn3DjoFB+WJJRb65SXeBmHx095/QfcsI=; b=epzoY2e2Wz+83/SKodjLDb7/oj 0UdpzQxAen4f9r42NaVgXeNYP3he0VjcYUw3KvXXEXAAvvXHud0XEJB+Y+aQH6lQfkNoDkwuZZaJS lOb7QiO2dq8BvoEX3nzxFS1dBReGb7J+RpxrZaTC3nOsXXqkGSMDVc7iQnLvUw+omrXXH7+pNk/pb z/U6FMXu4xSIgYo79fN4WxJzgR7d6Sv3ZfnCGiaVvlJ/R/qy5N4hh8tnHF6ygAGYP7/hu6M3fxRde zUypBpiVb3WGTyHNwH2O4GkPJoAaXfRd/tdgds8yQT4RvJ6CYOZBLwIg2xwkd8T40BE0ww3yAm60Z CuRyHHUA==; Received: from wrigleys.postgresql.org ([217.196.149.60]) by mahout.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1waNNw-003CEh-1s for pgsql-announce@lists.postgresql.org; Fri, 19 Jun 2026 00:47:05 +0000 Received: from localhost ([127.0.0.1] helo=wrigleys.postgresql.org) by wrigleys.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1waNNv-007DvE-0I for pgsql-announce@lists.postgresql.org; Fri, 19 Jun 2026 00:47:03 +0000 Content-Type: multipart/alternative; boundary="===============6920483568987048079==" MIME-Version: 1.0 Subject: pgAdmin 4 v9.16 Released To: PostgreSQL Announce From: pgAdmin Development Team via PostgreSQL Announce Reply-To: news@pgadmin.org Date: Fri, 19 Jun 2026 00:46:15 +0000 Message-ID: <178182997509.771.1104839238515574019@wrigleys.postgresql.org> X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-pglister-tags: related X-pglister-tagsig: eba8a8d2919f7c36458eff96309427687a511b4e1911f7015e8667806a565999 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --===============6920483568987048079== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable The pgAdmin Development Team is pleased to announce the release of pgAdmin = 4 version 9.16. This release of pgAdmin 4 includes 64 bug fixes and new fea= tures, including fixes for seven security vulnerabilities (CVE-2026-12044 t= hrough CVE-2026-12050). For more details, please see the [release notes](ht= tps://www.pgadmin.org/docs/pgadmin4/9.16/release_notes_9_16.html). pgAdmin is the leading open-source graphical management tool for PostgreSQL= . For more information, please see [the website](https://www.pgadmin.org/). Notable changes in this release include: ## Features * Colorize panel and tab headers based on the connected server's colour, ma= king it easier to identify which server a tab belongs to at a glance. * Add a "Back to login" link to the Forgot Password and Reset Password page= s. * Add support for the TOAST tuple target storage parameter in the Materiali= zed View dialog. * Make the init container security context in the Helm chart configurable v= ia `containerSecurityContext`. * Add support for closing a tab with a middle-click on its title. * Allow the OAuth2 login button icon to use any Font Awesome style, not onl= y brand icons. ## Security Fixes * Fix SQL injection across sixteen dialog templates that rendered `COMMENT = ON ... IS ''`; switches affected templates to `qtLiteral` and = rewrites stats calls to pass the relation OID via a `::oid::regclass` cast = (CVE-2026-12044). * Fix an AI Assistant read-only transaction bypass that allowed prompt-inje= cted multi-statement payloads to commit out of the `READ ONLY` wrapper, cha= ining to RCE via `COPY ... TO PROGRAM` on a superuser connection (CVE-2026-= 12045). * Fix two SQL Editor endpoints missing the `@pga_login_required` decorator,= making them reachable without authentication in server mode and exposing a= pickle deserialization sink (CVE-2026-12046). * Fix HTML injection in the cloud deployment module (RDS, Azure, Google) wh= ere SDK exception text was forwarded to the browser unsanitised and rendere= d through `html-react-parser` (CVE-2026-12047). * Fix critical stored cross-site scripting where PostgreSQL server error te= xt and Explain plan-node content passed through `html-react-parser` across = notifier toasts, form errors, modal alerts, and the Explain visualiser; inj= ected script could exfiltrate saved server credentials and issue SQL agains= t every connected server (CVE-2026-12048). * Fix an open redirect in the multi-factor authentication flow via an unval= idated `next` parameter (CVE-2026-12049). * Fix SQL injection in the named restore point endpoint where the user-supp= lied restore point name was interpolated into SQL via `str.format()` instea= d of a bound parameter (CVE-2026-12050). ## Bugs/Housekeeping * Remove the administrator-role bypass from server-access helpers so the ac= cess-control checks added in 9.15 (CVE-2026-7813) are enforced uniformly. * Remove EDB BigAnimal cloud deployment support, which was deprecated in 9.= 15. * Preserve `jsonb` number representation in the JSON editor so trailing fra= ctional zeros and large integers are no longer rewritten when saving unmodi= fied rows. * Fix a View/Edit Data crash when the session contains a transaction object= that is not filter-capable, which could prevent the desktop application fr= om loading after an upgrade. * Rebase version-specific SQL templates so the default targets PostgreSQL 1= 4, the oldest supported server version, dropping obsolete sub-14 template b= uckets. * Strip the foreign-architecture slice from the macOS bundle so single-arch= builds no longer ship unused code. * Bump Electron to 42.3.3, `cryptography` to 49.0, and other Python and Jav= aScript dependencies. * Update the Italian translation. ## Deprecations * **pgAgent** has been deprecated and will be discontinued. pgAgent will be= removed from the website within one month, and support within pgAdmin will= be removed approximately six months from now. Users are encouraged to migr= ate to an alternative job scheduling solution. Builds for Windows and macOS are available now, along with a Python Wheel, = Docker Container, RPM, DEB Package, and source code tarball from the [downl= oad area](https://www.pgadmin.org/download/). --===============6920483568987048079== Content-Type: text/html; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable pgAdmin 4 v9.16 Released
 

pgAdmin 4 v9.16 Released

The pgAdmin Development Team is pleased to = announce the release of pgAdmin 4 version 9.16. This release of pgAdmin 4 i= ncludes 64 bug fixes and new features, including fixes for seven security v= ulnerabilities (CVE-2026-12044 through CVE-2026-12050). For more details, p= lease see the rele= ase notes.

pgAdmin is the leading open-source graphica= l management tool for PostgreSQL. For more information, please see the website.

Notable changes in this release include:

Features

  • Colorize panel = and tab headers based on the connected server's colour, making it easier to= identify which server a tab belongs to at a glance.
  • Add a "Back to = login" link to the Forgot Password and Reset Password pages.
  • Add support for= the TOAST tuple target storage parameter in the Materialized View dialog.<= /li>
  • Make the init c= ontainer security context in the Helm chart configurable via containe= rSecurityContext.
  • Add support for= closing a tab with a middle-click on its title.
  • Allow the OAuth= 2 login button icon to use any Font Awesome style, not only brand icons.

Security Fixes

  • Fix SQL injecti= on across sixteen dialog templates that rendered COMMENT ON ... IS '&= lt;description>'; switches affected templates to qtLiteral<= /code> and rewrites stats calls to pass the relation OID via a ::oid:= :regclass cast (CVE-2026-12044).
  • Fix an AI Assis= tant read-only transaction bypass that allowed prompt-injected multi-statem= ent payloads to commit out of the READ ONLY wrapper, chaining = to RCE via COPY ... TO PROGRAM on a superuser connection (CVE-= 2026-12045).
  • Fix two SQL Edi= tor endpoints missing the @pga_login_required decorator, makin= g them reachable without authentication in server mode and exposing a pickl= e deserialization sink (CVE-2026-12046).
  • Fix HTML inject= ion in the cloud deployment module (RDS, Azure, Google) where SDK exception= text was forwarded to the browser unsanitised and rendered through h= tml-react-parser (CVE-2026-12047).
  • Fix critical st= ored cross-site scripting where PostgreSQL server error text and Explain pl= an-node content passed through html-react-parser across notifi= er toasts, form errors, modal alerts, and the Explain visualiser; injected = script could exfiltrate saved server credentials and issue SQL against ever= y connected server (CVE-2026-12048).
  • Fix an open red= irect in the multi-factor authentication flow via an unvalidated next= parameter (CVE-2026-12049).
  • Fix SQL injecti= on in the named restore point endpoint where the user-supplied restore poin= t name was interpolated into SQL via str.format() instead of a= bound parameter (CVE-2026-12050).

Bugs/Housekeeping

  • Remove the admi= nistrator-role bypass from server-access helpers so the access-control chec= ks added in 9.15 (CVE-2026-7813) are enforced uniformly.
  • Remove EDB BigA= nimal cloud deployment support, which was deprecated in 9.15.
  • Preserve = jsonb number representation in the JSON editor so trailing fractiona= l zeros and large integers are no longer rewritten when saving unmodified r= ows.
  • Fix a View/Edit= Data crash when the session contains a transaction object that is not filt= er-capable, which could prevent the desktop application from loading after = an upgrade.
  • Rebase version-= specific SQL templates so the default targets PostgreSQL 14, the oldest sup= ported server version, dropping obsolete sub-14 template buckets.
  • Strip the forei= gn-architecture slice from the macOS bundle so single-arch builds no longer= ship unused code.
  • Bump Electron t= o 42.3.3, cryptography to 49.0, and other Python and JavaScrip= t dependencies.
  • Update the Ital= ian translation.

Deprecations

  • pgAgent= has been deprecated and will be discontinued. pgAgent will be rem= oved from the website within one month, and support within pgAdmin will be = removed approximately six months from now. Users are encouraged to migrate = to an alternative job scheduling solution.

Builds for Windows and macOS are available = now, along with a Python Wheel, Docker Container, RPM, DEB Package, and sou= rce code tarball from the download area.

This email was sent to you from pgAdmin Development Team. It was delivered = on their behalf by the PostgreSQL project. Any questions about the content of the message shou= ld be sent to pgAdmin Development Team.

You were sent this email as a subscriber of the pgsql-announce mai= linglist, for the content tag Related Open Source. To unsubscribe from further emails, or change which emails you want to receive, please click th= e personal unsubscribe link that you can find in the headers of this email, or visit https://lists.postgresql.org/unsubscribe/.
 
--===============6920483568987048079==--