Re: pgAdmin 4 || vulnerable pip modules

Hi Rogelio,

I checked the CVE list you shared and the package versions required to fix
it. I then checked the pgAdmin venv for the actual installed versions and
found them all to be newer.
What did you use to scan the CVEs in pgAdmin?

*CVE ID* *Package* *Required Version (or newer)* *Primary Action*
*CVE-2025-68146* filelock *v3.17.0* Upgrade to prevent symlink-based file
corruption.
*CVE-2025-68158* Authlib *v1.4.1* Upgrade to ensure OAuth states are
strictly bound to user sessions.
*CVE-2025-69277* libsodium *v1.0.21* Update the underlying C library (often
via pynacl update).
*CVE-2026-0994* protobuf *v5.29.3* Upgrade to enforce stricter recursion
limits on nested messages.
*CVE-2026-21226* azure-core *v1.31.0* *Critical:* Upgrade immediately to
disable insecure deserialization.
*CVE-2026-21441* urllib3 *v2.3.1* Upgrade to fix "Decompression Bomb"
handling in redirects.
*CVE-2026-21860* Werkzeug *v3.1.4* Upgrade to properly sanitize Windows
reserved device names.
*CVE-2026-22701* filelock *v3.18.0* Upgrade to patch the SoftFileLock race
condition.
*CVE-2026-22702* virtualenv *v20.29.2* Upgrade to prevent symlink attacks
during environment creation.
*CVE-2026-23490* pyasn1 *v0.6.2* Upgrade to prevent memory exhaustion from
malformed OIDs.
*CVE-2026-23949* jaraco.context *v6.1.0* Upgrade to fix Path Traversal (Zip
Slip) in tarball().
*CVE-2026-24049* wheel *v0.45.2* Upgrade to prevent unauthorized chmod
calls during unpacking.
*CVE-2026-26007* cryptography *v44.0.2* *Critical:* Upgrade to ensure
validation of SECT curve points.

On Tue, Feb 17, 2026 at 9:18 PM Rogelio Villafana Sanchez <
RVillafana-Sanchez(at)amdocs(dot)com> wrote:

> Hello PGAdmin support team,
>
>
>
> Three weeks ago, we completed the upgrade of PGAdmin to v9.11, yet in our
> last vulnerabilities scan report, several pip modules came in the picture
> as vulnerable version.
>
> As these are modules which come embedded in the site packages installer,
> we would like to confirm below question with you.
>
>
>
> 1. Any existing/coming version that fix shared CVEs?
> 2. Will it be in their roadmap. If yes when is the plan to fix it?
> 3. Can we delete those files do we see any impact?
> 4. We can see v9.12 was just released, but does this version fix the
> CVEs or have the modules on fixed version?
> 5. Also, we know these CVEs might be false positive if yes, please
> share the description.
>
>
>
> CVE-2025-68146
> CVE-2025-68158
> CVE-2025-69277
> CVE-2026-0994
> CVE-2026-21226
> CVE-2026-21441
> CVE-2026-21860
> CVE-2026-22701
> CVE-2026-22702
> CVE-2026-23490
> CVE-2026-23949
> CVE-2026-24049
> CVE-2026-26007
>
>
>
> *Rogelio Villafaña*
>
> DevOps Specialist | ATT BSSe
>
> [image: Shape Description automatically generated with medium confidence]
>
>
>
> *This email and the information contained herein is proprietary and
> confidential and subject to the Amdocs Email Terms of Service, which you
> may review at* *https://www.amdocs.com/about/email-terms-of-service*
> <https://www.amdocs.com/about/email-terms-of-service>
>

--
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com*
<https://www.enterprisedb.com/>
"Don't Complain about Heat, Plant a TREE"