Request a Demo
Home   >   mailing lists

Re: pgAdmin 4 || vulnerable pip modules - Mailing list pgadmin-support

From Aditya Toshniwal
Subject Re: pgAdmin 4 || vulnerable pip modules
Date
Msg-id CAM9w-_=S5ouh8EydZL_qiWkEXMghufbkniDCM0eS9Zaqk=T3NQ@mail.gmail.com
Whole thread
In response to pgAdmin 4 || vulnerable pip modules  (Rogelio Villafana Sanchez <RVillafana-Sanchez@amdocs.com>)
Responses RE: pgAdmin 4 || vulnerable pip modules
List pgadmin-support
Tree view
Hi Rogelio,

I checked the CVE list you shared and the package versions required to fix it. I then checked the pgAdmin venv for the actual installed versions and found them all to be newer.
What did you use to scan the CVEs in pgAdmin?

CVE IDPackageRequired Version (or newer)Primary Action
CVE-2025-68146filelockv3.17.0Upgrade to prevent symlink-based file corruption.
CVE-2025-68158Authlibv1.4.1Upgrade to ensure OAuth states are strictly bound to user sessions.
CVE-2025-69277libsodiumv1.0.21Update the underlying C library (often via pynacl update).
CVE-2026-0994protobufv5.29.3Upgrade to enforce stricter recursion limits on nested messages.
CVE-2026-21226azure-corev1.31.0Critical: Upgrade immediately to disable insecure deserialization.
CVE-2026-21441urllib3v2.3.1Upgrade to fix "Decompression Bomb" handling in redirects.
CVE-2026-21860Werkzeugv3.1.4Upgrade to properly sanitize Windows reserved device names.
CVE-2026-22701filelockv3.18.0Upgrade to patch the SoftFileLock race condition.
CVE-2026-22702virtualenvv20.29.2Upgrade to prevent symlink attacks during environment creation.
CVE-2026-23490pyasn1v0.6.2Upgrade to prevent memory exhaustion from malformed OIDs.
CVE-2026-23949jaraco.contextv6.1.0Upgrade to fix Path Traversal (Zip Slip) in tarball().
CVE-2026-24049wheelv0.45.2Upgrade to prevent unauthorized chmod calls during unpacking.
CVE-2026-26007cryptographyv44.0.2Critical: Upgrade to ensure validation of SECT curve points.

On Tue, Feb 17, 2026 at 9:18 PM Rogelio Villafana Sanchez <RVillafana-Sanchez@amdocs.com> wrote:

Hello PGAdmin support team,

 

Three weeks ago, we completed the upgrade of PGAdmin to v9.11, yet in our last vulnerabilities scan report, several pip modules came in the picture as vulnerable version.

As these are modules which come embedded in the site packages installer, we would like to confirm below question with you.

 

  1. Any existing/coming version that fix shared CVEs?
  2. Will it be in their roadmap. If yes when is the plan to fix it?
  3. Can we delete those files do we see any impact?
  4. We can see v9.12 was just released, but does this version fix the CVEs or have the modules on fixed version?
  5. Also, we know these CVEs might be false positive if yes, please share the description.

 

CVE-2025-68146
CVE-2025-68158
CVE-2025-69277
CVE-2026-0994
CVE-2026-21226
CVE-2026-21441
CVE-2026-21860
CVE-2026-22701
CVE-2026-22702
CVE-2026-23490
CVE-2026-23949
CVE-2026-24049
CVE-2026-26007

 

Rogelio Villafaña

DevOps Specialist | ATT BSSe

Shape Description automatically generated with medium confidence

 

This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service



--
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Sr. Staff SDE II | enterprisedb.com
"Don't Complain about Heat, Plant a TREE"
Attachment

pgadmin-support by date:

Previous
From: Rogelio Villafana Sanchez
Date:
Subject: pgAdmin 4 || vulnerable pip modules
Next
From: Rogelio Villafana Sanchez
Date:
Subject: RE: pgAdmin 4 || vulnerable pip modules