Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-announce-owner+archive@lists.postgresql.org>)
	id 1wMTlj-0007hb-2I
	for pgsql-announce@arkaria.postgresql.org;
	Mon, 11 May 2026 16:46:12 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-announce-owner+archive@lists.postgresql.org>)
	id 1wMTli-001h21-1Y
	for pgsql-announce@arkaria.postgresql.org;
	Mon, 11 May 2026 16:46:10 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <announce-noreply@postgresql.org>)
	id 1wMTlh-001h1F-1g
	for pgsql-announce@lists.postgresql.org;
	Mon, 11 May 2026 16:46:09 +0000
Received: from mahout.postgresql.org ([2001:4800:3e1:1::227])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.98.2)
	(envelope-from <announce-noreply@postgresql.org>)
	id 1wMTle-000000004nA-2IiA
	for pgsql-announce@lists.postgresql.org;
	Mon, 11 May 2026 16:46:09 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=postgresql.org; s=20171124; h=Message-ID:Date:Reply-To:From:To:Subject:
	MIME-Version:Content-Type:Sender:Cc:Content-Transfer-Encoding:Content-ID:
	Content-Description:In-Reply-To:References;
	bh=DsynOvnadK0Iv79ZIGHzVg4TOk7k1IG42oHa3D+Utf4=; b=ohVDShApNq2iyu0dG9IveQtQbc
	x9uAV4xsNsLCW35P3X3eA7WcvkeGxx4qyc+8C3XFAm3KPw2WRfgJMwosrP48bIB07U7eR9XDWnju9
	Wq1CkSPbNZnDiFqrzKHSGRIgnGW7AusPEhzsj8T/G7xKoO6x20FaGLJtEsqF57ClaGEVIqYUBu4i7
	RKO17pJ0Z2AyByWNFlAq216l4N8ph7HnH0wW0B8z4ZPA8FelWVDijXgnF+H/px/U4ERwwGkGr2cIH
	mLL4wBldYLc5RjsbGoR8FE2NQ1m9mTubRyLK8rB85vzGEEv49KQFBowCWXKgU0Myh03OCZqOOo90R
	rd6Kmz6A==;
Received: from wrigleys.postgresql.org ([217.196.149.60])
	by mahout.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <announce-noreply@postgresql.org>)
	id 1wMTld-000BDg-03
	for pgsql-announce@lists.postgresql.org;
	Mon, 11 May 2026 16:46:05 +0000
Received: from localhost ([127.0.0.1] helo=wrigleys.postgresql.org)
	by wrigleys.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <announce-noreply@postgresql.org>)
	id 1wMTla-000O5n-0U
	for pgsql-announce@lists.postgresql.org;
	Mon, 11 May 2026 16:46:03 +0000
Content-Type: multipart/alternative;
 boundary="===============8196487897871356956=="
MIME-Version: 1.0
Subject: pgAdmin 4 v9.15 Released
To: PostgreSQL Announce <pgsql-announce@lists.postgresql.org>
From: pgAdmin Development Team via PostgreSQL Announce
 <announce-noreply@postgresql.org>
Reply-To: news@pgadmin.org
Date: Mon, 11 May 2026 16:45:42 +0000
Message-ID: <177851794230.851.10919277514111552494@wrigleys.postgresql.org>
X-Auto-Response-Suppress: All
Auto-Submitted: auto-generated
X-pglister-tags: related
X-pglister-tagsig: 
 501a64dbadfa982ec592edb3e623f6ddf1bd0896fbc171412a4800a66affeb35
List-Id: <pgsql-announce.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-announce@lists.postgresql.org>
List-Owner: <mailto:pgsql-announce-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-announce>
Archived-At: 
 <https://www.postgresql.org/message-id/177851794230.851.10919277514111552494%40wrigleys.postgresql.org>
Precedence: bulk

--===============8196487897871356956==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

The pgAdmin Development Team is pleased to announce pgAdmin 4 version 9.15.

This release of pgAdmin 4 includes 19 bug fixes and new features. For more =
details please see the release notes at:

<https://www.pgadmin.org/docs/pgadmin4/9.15/release_notes_9_15.html>

pgAdmin is the leading Open Source graphical management tool for PostgreSQL=
. For more information, please see:

<https://www.pgadmin.org/>

**Notable changes in this release include:**

## Features

- Allow the Docker container image to run as a non-default user via the `PU=
ID` and `PGID` environment variables.

## Bugs/Housekeeping

- Fix cross-user data access and shared-server privilege escalation in serv=
er mode (**CVE-2026-7813**).
- Tighten Shared Server feature parity, owner-only field handling, and writ=
e guards as a follow-up to the data-isolation hardening.
- Fix stored cross-site scripting (XSS) via crafted PostgreSQL object names=
 rendered in the Browser Tree and Explain Visualizer (**CVE-2026-7814**).
- Fix SQL injection in the Maintenance tool option values (**CVE-2026-7815*=
*).
- Fix OS command injection in Import/Export query export (**CVE-2026-7816**=
).
- Fix local-file inclusion and server-side request forgery in the LLM API c=
onfiguration endpoints (**CVE-2026-7817**).
- Fix unsafe deserialization in the session manager that could lead to remo=
te code execution (**CVE-2026-7818**). This change also encrypts session fi=
les at rest using Fernet, restricts session-file and `DATA_DIR` permissions=
 to `0o600`, switches the session-digest default from SHA-1 to SHA-256, and=
 drops several non-roundtrippable live objects from the session.
- Fix symlink-based path traversal in the file manager (**CVE-2026-7819**).
- Fix account-lockout bypass on Flask-Security's default `/login` view so t=
he `locked` field is honored on every authentication path (**CVE-2026-7820*=
*).
- Use absolute paths for `a2enmod` and `a2enconf` in the Debian setup scrip=
t so it works when `/usr/sbin` is not on `PATH`.
- Bump Python and JavaScript runtime/development dependencies, and upgrade =
ESLint to v10.
- Update the Czech, Italian, Russian, Spanish, and Swedish translations.

## Deprecations

- The **BigAnimal** cloud deployment integration is deprecated and will be =
removed in the next version of pgAdmin 4.


---

Builds for Windows and macOS are available now, along with a Python Wheel, =
Docker Container, RPM, DEB Package, and source code tarball from:

<https://www.pgadmin.org/download/>
--===============8196487897871356956==
Content-Type: text/html; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable



<!doctype html>
<html>
  <head>
    <meta name=3D"viewport" content=3D"width=3Ddevice-width">
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF-8=
">
    <title>pgAdmin 4 v9.15 Released</title>
    <style>

    @media only screen and (max-width: 620px) {
      table[class=3Dbody] h1 {
        font-size: 28px !important;
        margin-bottom: 10px !important;
      }
      table[class=3Dbody] p,
            table[class=3Dbody] ul,
            table[class=3Dbody] ol,
            table[class=3Dbody] td,
            table[class=3Dbody] span,
            table[class=3Dbody] a {
        font-size: 16px !important;
      }
      table[class=3Dbody] .wrapper,
            table[class=3Dbody] .article {
        padding: 10px !important;
      }
      table[class=3Dbody] .content {
        padding: 0 !important;
      }
      table[class=3Dbody] .container {
        padding: 0 !important;
        width: 100% !important;
      }
      table[class=3Dbody] .main {
        border-left-width: 0 !important;
        border-radius: 0 !important;
        border-right-width: 0 !important;
      }
      table[class=3Dbody] .btn table {
        width: 100% !important;
      }
      table[class=3Dbody] .btn a {
        width: 100% !important;
      }
      table[class=3Dbody] .img-responsive {
        height: auto !important;
        max-width: 100% !important;
        width: auto !important;
      }
    }

    @media all {
      .ExternalClass {
        width: 100%;
      }
      .ExternalClass,
            .ExternalClass p,
            .ExternalClass span,
            .ExternalClass font,
            .ExternalClass td,
            .ExternalClass div {
        line-height: 100%;
      }
      .apple-link a {
        color: inherit !important;
        font-family: inherit !important;
        font-size: inherit !important;
        font-weight: inherit !important;
        line-height: inherit !important;
        text-decoration: none !important;
      }
      #MessageViewBody a {
        color: inherit;
        text-decoration: none;
        font-size: inherit;
        font-family: inherit;
        font-weight: inherit;
        line-height: inherit;
      }
      .btn-primary table td:hover {
        background-color: #34495e !important;
      }
      .btn-primary a:hover {
        background-color: #34495e !important;
        border-color: #34495e !important;
      }
    }
    </style>
  </head>
  <body class=3D"" style=3D"background-color: #f6f6f6; font-family: sans-se=
rif; -webkit-font-smoothing: antialiased; font-size: 14px; line-height: 1.4=
; margin: 0; padding: 0; -ms-text-size-adjust: 100%; -webkit-text-size-adju=
st: 100%;">
    <table border=3D"0" cellpadding=3D"0" cellspacing=3D"0" class=3D"body" =
style=3D"border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace=
: 0pt; width: 100%; background-color: #f6f6f6;">
      <tr>
        <td style=3D"font-family: sans-serif; font-size: 14px; vertical-ali=
gn: top;">&nbsp;</td>
        <td class=3D"container" style=3D"font-family: sans-serif; font-size=
: 14px; vertical-align: top; display: block; Margin: 0 auto; max-width: 580=
px; padding: 10px; width: 580px;">
          <div class=3D"content" style=3D"box-sizing: border-box; display: =
block; Margin: 0 auto; max-width: 580px; padding: 10px;">


            <span class=3D"preheader" style=3D"color: transparent; display:=
 none; height: 0; max-height: 0; max-width: 0; opacity: 0; overflow: hidden=
; mso-hide: all; visibility: hidden; width: 0;"></span>
            <table class=3D"main" style=3D"border-collapse: separate; mso-t=
able-lspace: 0pt; mso-table-rspace: 0pt; width: 100%; background: #ffffff; =
border-radius: 3px;">


              <tr>
                <td class=3D"wrapper" style=3D"font-family: sans-serif; fon=
t-size: 14px; vertical-align: top; box-sizing: border-box; padding: 20px;">
                  <table border=3D"0" cellpadding=3D"0" cellspacing=3D"0" s=
tyle=3D"border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace:=
 0pt; width: 100%;">
                    <tr>
                      <td style=3D"font-family: sans-serif; font-size: 14px=
; vertical-align: top;">

<div>
<h1 style=3D"color: #000; font-family: sans-serif; line-height: 1.4; margin=
: 0; margin-bottom: 30px; font-size: 25px; font-weight: 300; text-align: ce=
nter">pgAdmin 4 v9.15 Released</h1>
</div>
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px">The pgAdmin Development Team is pleased to =
announce pgAdmin 4 version 9.15.</p>
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px">This release of pgAdmin 4 includes 19 bug f=
ixes and new features. For more details please see the release notes at:</p>
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px"><a href=3D"https://www.pgadmin.org/docs/pga=
dmin4/9.15/release_notes_9_15.html" style=3D"color: #3498db; text-decoratio=
n: underline">https://www.pgadmin.org/docs/pgadmin4/9.15/release_notes_9_15=
.html</a></p>
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px">pgAdmin is the leading Open Source graphica=
l management tool for PostgreSQL. For more information, please see:</p>
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px"><a href=3D"https://www.pgadmin.org/" style=
=3D"color: #3498db; text-decoration: underline">https://www.pgadmin.org/</a=
></p>
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px"><strong>Notable changes in this release inc=
lude:</strong></p>
<h2 style=3D"color: #000; font-family: sans-serif; font-weight: 400; line-h=
eight: 1.4; margin: 0; margin-bottom: 30px">Features</h2>
<ul style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal;=
 margin: 0; margin-bottom: 15px">
<li style=3D"list-style-position: inside; margin-left: 5px">Allow the Docke=
r container image to run as a non-default user via the <code>PUID</code> an=
d <code>PGID</code> environment variables.</li>
</ul>
<h2 style=3D"color: #000; font-family: sans-serif; font-weight: 400; line-h=
eight: 1.4; margin: 0; margin-bottom: 30px">Bugs/Housekeeping</h2>
<ul style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal;=
 margin: 0; margin-bottom: 15px">
<li style=3D"list-style-position: inside; margin-left: 5px">Fix cross-user =
data access and shared-server privilege escalation in server mode (<strong>=
CVE-2026-7813</strong>).</li>
<li style=3D"list-style-position: inside; margin-left: 5px">Tighten Shared =
Server feature parity, owner-only field handling, and write guards as a fol=
low-up to the data-isolation hardening.</li>
<li style=3D"list-style-position: inside; margin-left: 5px">Fix stored cros=
s-site scripting (XSS) via crafted PostgreSQL object names rendered in the =
Browser Tree and Explain Visualizer (<strong>CVE-2026-7814</strong>).</li>
<li style=3D"list-style-position: inside; margin-left: 5px">Fix SQL injecti=
on in the Maintenance tool option values (<strong>CVE-2026-7815</strong>).<=
/li>
<li style=3D"list-style-position: inside; margin-left: 5px">Fix OS command =
injection in Import/Export query export (<strong>CVE-2026-7816</strong>).</=
li>
<li style=3D"list-style-position: inside; margin-left: 5px">Fix local-file =
inclusion and server-side request forgery in the LLM API configuration endp=
oints (<strong>CVE-2026-7817</strong>).</li>
<li style=3D"list-style-position: inside; margin-left: 5px">Fix unsafe dese=
rialization in the session manager that could lead to remote code execution=
 (<strong>CVE-2026-7818</strong>). This change also encrypts session files =
at rest using Fernet, restricts session-file and <code>DATA_DIR</code> perm=
issions to <code>0o600</code>, switches the session-digest default from SHA=
-1 to SHA-256, and drops several non-roundtrippable live objects from the s=
ession.</li>
<li style=3D"list-style-position: inside; margin-left: 5px">Fix symlink-bas=
ed path traversal in the file manager (<strong>CVE-2026-7819</strong>).</li>
<li style=3D"list-style-position: inside; margin-left: 5px">Fix account-loc=
kout bypass on Flask-Security's default <code>/login</code> view so the <co=
de>locked</code> field is honored on every authentication path (<strong>CVE=
-2026-7820</strong>).</li>
<li style=3D"list-style-position: inside; margin-left: 5px">Use absolute pa=
ths for <code>a2enmod</code> and <code>a2enconf</code> in the Debian setup =
script so it works when <code>/usr/sbin</code> is not on <code>PATH</code>.=
</li>
<li style=3D"list-style-position: inside; margin-left: 5px">Bump Python and=
 JavaScript runtime/development dependencies, and upgrade ESLint to v10.</l=
i>
<li style=3D"list-style-position: inside; margin-left: 5px">Update the Czec=
h, Italian, Russian, Spanish, and Swedish translations.</li>
</ul>
<h2 style=3D"color: #000; font-family: sans-serif; font-weight: 400; line-h=
eight: 1.4; margin: 0; margin-bottom: 30px">Deprecations</h2>
<ul style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal;=
 margin: 0; margin-bottom: 15px">
<li style=3D"list-style-position: inside; margin-left: 5px">The <strong>Big=
Animal</strong> cloud deployment integration is deprecated and will be remo=
ved in the next version of pgAdmin 4.</li>
</ul>
<hr/>
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px">Builds for Windows and macOS are available =
now, along with a Python Wheel, Docker Container, RPM, DEB Package, and sou=
rce code tarball from:</p>
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px"><a href=3D"https://www.pgadmin.org/download=
/" style=3D"color: #3498db; text-decoration: underline">https://www.pgadmin=
.org/download/</a></p>

                      </td>
                    </tr>
                  </table>
                </td>
              </tr>

            </table>

            <div class=3D"footer" style=3D"clear: both; Margin-top: 10px; t=
ext-align: center; width: 100%;">
              <table border=3D"0" cellpadding=3D"0" cellspacing=3D"0" style=
=3D"border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt=
; width: 100%;">
                <tr>
                  <td class=3D"content-block" style=3D"font-family: sans-se=
rif; vertical-align: top; padding-bottom: 10px; padding-top: 10px; font-siz=
e: 12px; color: #999999; text-align: center;">
                    <span class=3D"apple-link" style=3D"color: #999999; fon=
t-size: 12px; text-align: center;">
This email was sent to you from pgAdmin Development Team. It was delivered =
on their behalf by
the PostgreSQL project. Any questions about the content of the message shou=
ld be
sent to pgAdmin Development Team.
</span>
		    <br><br>
You were sent this email as a subscriber of the <em>pgsql-announce</em> mai=
linglist, for
the content tag Related Open Source.
To unsubscribe from
further emails, or change which emails you want to receive, please click th=
e personal unsubscribe
link that you can find in the headers of this email, or visit
<a href=3D"https://lists.postgresql.org/unsubscribe/" style=3D"color: #3498=
db; text-decoration: underline">https://lists.postgresql.org/unsubscribe/</=
a>.

                  </td>
                </tr>
              </table>
            </div>

          </div>
        </td>
        <td style=3D"font-family: sans-serif; font-size: 14px; vertical-ali=
gn: top;">&nbsp;</td>
      </tr>
    </table>
  </body>
</html>

--===============8196487897871356956==--