Re: pgAdmin 4 || vulnerable pip modules - Mailing list pgadmin-support

Hello @Aditya,

 

Means all mentioned CVEs are fixed on specific PgAdmin version?

 

 

Rogelio Villafaña

DevOps Specialist | ATT BSSe

 

From: Aditya Toshniwal <aditya.toshniwal@enterprisedb.com>
Sent: Monday, February 23, 2026 3:08 AM
To: Rogelio Villafana Sanchez <RVillafana-Sanchez@amdocs.com>
Cc: Chetan Lohi <Chetan.Lohi@amdocs.com>; pgadmin-support@lists.postgresql.org; Akshay Swami <akshaysw@amdocs.com>; Manas . <Manas.1@amdocs.com>
Subject: Re: pgAdmin 4 || vulnerable pip modules

 

CAUTION: This email is from an external source. Please don’t open any unknown links or attachments.

Hi Rogelio,

 

We've already checked the mentioned CVEs in the latest version. I'm not sure how WIZ works.

 

On Thu, Feb 19, 2026 at 8:35 PM Rogelio Villafana Sanchez <RVillafana-Sanchez@amdocs.com> wrote:

Thanks, Chetan!

 

Hi @Aditya Toshniwal, the only tool used its WIZ.

 

 

Rogelio Villafaña

DevOps Specialist | ATT BSSe

 

From: Chetan Lohi <Chetan.Lohi@amdocs.com>
Sent: Wednesday, February 18, 2026 11:22 PM
To: Rogelio Villafana Sanchez <RVillafana-Sanchez@amdocs.com>; Aditya Toshniwal <aditya.toshniwal@enterprisedb.com>
Cc: pgadmin-support@lists.postgresql.org; Akshay Swami <akshaysw@amdocs.com>; Manas . <Manas.1@amdocs.com>
Subject: RE: pgAdmin 4 || vulnerable pip modules

 

Hi Team,

 

Wiz itself does vulnerability scanning there is no additional tool involved.

 

Regards

Chetan Lohi

 

From: Rogelio Villafana Sanchez <RVillafana-Sanchez@amdocs.com>
Sent: Wednesday, February 18, 2026 11:54 PM
To: Aditya Toshniwal <aditya.toshniwal@enterprisedb.com>; Chetan Lohi <Chetan.Lohi@amdocs.com>
Cc: pgadmin-support@lists.postgresql.org; Akshay Swami <akshaysw@amdocs.com>; Manas . <Manas.1@amdocs.com>
Subject: RE: pgAdmin 4 || vulnerable pip modules

 

Hello @Chetan,

 

Could you help sharing the scan tool details used for the WIZ report?

 

 

Rogelio Villafaña

DevOps Specialist | ATT BSSe

 

From: Aditya Toshniwal <aditya.toshniwal@enterprisedb.com>
Sent: Tuesday, February 17, 2026 11:36 PM
To: Rogelio Villafana Sanchez <RVillafana-Sanchez@amdocs.com>
Cc: pgadmin-support@lists.postgresql.org; Akshay Swami <akshaysw@amdocs.com>; Manas . <Manas.1@amdocs.com>
Subject: Re: pgAdmin 4 || vulnerable pip modules

 

You don't often get email from aditya.toshniwal@enterprisedb.com. Learn why this is important

CAUTION: This email is from an external source. Please don’t open any unknown links or attachments.

Hi Rogelio,

 

I checked the CVE list you shared and the package versions required to fix it. I then checked the pgAdmin venv for the actual installed versions and found them all to be newer.

What did you use to scan the CVEs in pgAdmin?

 

CVE ID	Package	Required Version (or newer)	Primary Action
CVE-2025-68146	filelock	v3.17.0	Upgrade to prevent symlink-based file corruption.
CVE-2025-68158	Authlib	v1.4.1	Upgrade to ensure OAuth states are strictly bound to user sessions.
CVE-2025-69277	libsodium	v1.0.21	Update the underlying C library (often via pynacl update).
CVE-2026-0994	protobuf	v5.29.3	Upgrade to enforce stricter recursion limits on nested messages.
CVE-2026-21226	azure-core	v1.31.0	Critical: Upgrade immediately to disable insecure deserialization.
CVE-2026-21441	urllib3	v2.3.1	Upgrade to fix "Decompression Bomb" handling in redirects.
CVE-2026-21860	Werkzeug	v3.1.4	Upgrade to properly sanitize Windows reserved device names.
CVE-2026-22701	filelock	v3.18.0	Upgrade to patch the SoftFileLock race condition.
CVE-2026-22702	virtualenv	v20.29.2	Upgrade to prevent symlink attacks during environment creation.
CVE-2026-23490	pyasn1	v0.6.2	Upgrade to prevent memory exhaustion from malformed OIDs.
CVE-2026-23949	jaraco.context	v6.1.0	Upgrade to fix Path Traversal (Zip Slip) in tarball().
CVE-2026-24049	wheel	v0.45.2	Upgrade to prevent unauthorized chmod calls during unpacking.
CVE-2026-26007	cryptography	v44.0.2	Critical: Upgrade to ensure validation of SECT curve points.

 

On Tue, Feb 17, 2026 at 9:18 PM Rogelio Villafana Sanchez <RVillafana-Sanchez@amdocs.com> wrote:

Hello PGAdmin support team,

 

Three weeks ago, we completed the upgrade of PGAdmin to v9.11, yet in our last vulnerabilities scan report, several pip modules came in the picture as vulnerable version.

As these are modules which come embedded in the site packages installer, we would like to confirm below question with you.

 

1. Any existing/coming version that fix shared CVEs?
2. Will it be in their roadmap. If yes when is the plan to fix it?
3. Can we delete those files do we see any impact?
4. We can see v9.12 was just released, but does this version fix the CVEs or have the modules on fixed version?
5. Also, we know these CVEs might be false positive if yes, please share the description.

 

CVE-2025-68146
CVE-2025-68158
CVE-2025-69277
CVE-2026-0994
CVE-2026-21226
CVE-2026-21441
CVE-2026-21860
CVE-2026-22701
CVE-2026-22702
CVE-2026-23490
CVE-2026-23949
CVE-2026-24049
CVE-2026-26007

 

Rogelio Villafaña

DevOps Specialist | ATT BSSe

 

This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service

 

--

Thanks,

Aditya Toshniwal

pgAdmin Hacker | Sr. Staff SDE II | enterprisedb.com

"Don't Complain about Heat, Plant a TREE"

This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service

 

--

Thanks,

Aditya Toshniwal

pgAdmin Hacker | Sr. Staff SDE II | enterprisedb.com

"Don't Complain about Heat, Plant a TREE"

This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service