Re: pgAdmin 4 || vulnerable pip modules

Hi Rogelio,

We've already checked the mentioned CVEs in the latest version. I'm not
sure how WIZ works.

On Thu, Feb 19, 2026 at 8:35 PM Rogelio Villafana Sanchez <
RVillafana-Sanchez(at)amdocs(dot)com> wrote:

> Thanks, Chetan!
>
>
>
> Hi @Aditya Toshniwal <aditya(dot)toshniwal(at)enterprisedb(dot)com>, the only tool
> used its WIZ.
>
>
>
>
>
> *Rogelio Villafaña*
>
> DevOps Specialist | ATT BSSe
>
> [image: Shape Description automatically generated with medium confidence]
>
>
>
> *From:* Chetan Lohi <Chetan(dot)Lohi(at)amdocs(dot)com>
> *Sent:* Wednesday, February 18, 2026 11:22 PM
> *To:* Rogelio Villafana Sanchez <RVillafana-Sanchez(at)amdocs(dot)com>; Aditya
> Toshniwal <aditya(dot)toshniwal(at)enterprisedb(dot)com>
> *Cc:* pgadmin-support(at)lists(dot)postgresql(dot)org; Akshay Swami <
> akshaysw(at)amdocs(dot)com>; Manas . <Manas(dot)1(at)amdocs(dot)com>
> *Subject:* RE: pgAdmin 4 || vulnerable pip modules
>
>
>
> Hi Team,
>
>
>
> Wiz itself does vulnerability scanning there is no additional tool
> involved.
>
>
>
> Regards
>
> Chetan Lohi
>
>
>
> *From:* Rogelio Villafana Sanchez <RVillafana-Sanchez(at)amdocs(dot)com>
> *Sent:* Wednesday, February 18, 2026 11:54 PM
> *To:* Aditya Toshniwal <aditya(dot)toshniwal(at)enterprisedb(dot)com>; Chetan Lohi <
> Chetan(dot)Lohi(at)amdocs(dot)com>
> *Cc:* pgadmin-support(at)lists(dot)postgresql(dot)org; Akshay Swami <
> akshaysw(at)amdocs(dot)com>; Manas . <Manas(dot)1(at)amdocs(dot)com>
> *Subject:* RE: pgAdmin 4 || vulnerable pip modules
>
>
>
> Hello @Chetan <Chetan(dot)Lohi(at)amdocs(dot)com>,
>
>
>
> Could you help sharing the scan tool details used for the WIZ report?
>
>
>
>
>
> *Rogelio Villafaña*
>
> DevOps Specialist | ATT BSSe
>
> [image: Shape Description automatically generated with medium confidence]
>
>
>
> *From:* Aditya Toshniwal <aditya(dot)toshniwal(at)enterprisedb(dot)com>
> *Sent:* Tuesday, February 17, 2026 11:36 PM
> *To:* Rogelio Villafana Sanchez <RVillafana-Sanchez(at)amdocs(dot)com>
> *Cc:* pgadmin-support(at)lists(dot)postgresql(dot)org; Akshay Swami <
> akshaysw(at)amdocs(dot)com>; Manas . <Manas(dot)1(at)amdocs(dot)com>
> *Subject:* Re: pgAdmin 4 || vulnerable pip modules
>
>
>
> You don't often get email from aditya(dot)toshniwal(at)enterprisedb(dot)com(dot) Learn
> why this is important <https://aka.ms/LearnAboutSenderIdentification>
>
> *CAUTION:* This email is from an external source. Please don’t open any
> unknown links or attachments.
>
> Hi Rogelio,
>
>
>
> I checked the CVE list you shared and the package versions required to fix
> it. I then checked the pgAdmin venv for the actual installed versions and
> found them all to be newer.
>
> What did you use to scan the CVEs in pgAdmin?
>
>
>
> *CVE ID*
>
> *Package*
>
> *Required Version (or newer)*
>
> *Primary Action*
>
> *CVE-2025-68146*
>
> filelock
>
> *v3.17.0*
>
> Upgrade to prevent symlink-based file corruption.
>
> *CVE-2025-68158*
>
> Authlib
>
> *v1.4.1*
>
> Upgrade to ensure OAuth states are strictly bound to user sessions.
>
> *CVE-2025-69277*
>
> libsodium
>
> *v1.0.21*
>
> Update the underlying C library (often via pynacl update).
>
> *CVE-2026-0994*
>
> protobuf
>
> *v5.29.3*
>
> Upgrade to enforce stricter recursion limits on nested messages.
>
> *CVE-2026-21226*
>
> azure-core
>
> *v1.31.0*
>
> *Critical:* Upgrade immediately to disable insecure deserialization.
>
> *CVE-2026-21441*
>
> urllib3
>
> *v2.3.1*
>
> Upgrade to fix "Decompression Bomb" handling in redirects.
>
> *CVE-2026-21860*
>
> Werkzeug
>
> *v3.1.4*
>
> Upgrade to properly sanitize Windows reserved device names.
>
> *CVE-2026-22701*
>
> filelock
>
> *v3.18.0*
>
> Upgrade to patch the SoftFileLock race condition.
>
> *CVE-2026-22702*
>
> virtualenv
>
> *v20.29.2*
>
> Upgrade to prevent symlink attacks during environment creation.
>
> *CVE-2026-23490*
>
> pyasn1
>
> *v0.6.2*
>
> Upgrade to prevent memory exhaustion from malformed OIDs.
>
> *CVE-2026-23949*
>
> jaraco.context
>
> *v6.1.0*
>
> Upgrade to fix Path Traversal (Zip Slip) in tarball().
>
> *CVE-2026-24049*
>
> wheel
>
> *v0.45.2*
>
> Upgrade to prevent unauthorized chmod calls during unpacking.
>
> *CVE-2026-26007*
>
> cryptography
>
> *v44.0.2*
>
> *Critical:* Upgrade to ensure validation of SECT curve points.
>
>
>
> On Tue, Feb 17, 2026 at 9:18 PM Rogelio Villafana Sanchez <
> RVillafana-Sanchez(at)amdocs(dot)com> wrote:
>
> Hello PGAdmin support team,
>
>
>
> Three weeks ago, we completed the upgrade of PGAdmin to v9.11, yet in our
> last vulnerabilities scan report, several pip modules came in the picture
> as vulnerable version.
>
> As these are modules which come embedded in the site packages installer,
> we would like to confirm below question with you.
>
>
>
> 1. Any existing/coming version that fix shared CVEs?
> 2. Will it be in their roadmap. If yes when is the plan to fix it?
> 3. Can we delete those files do we see any impact?
> 4. We can see v9.12 was just released, but does this version fix the
> CVEs or have the modules on fixed version?
> 5. Also, we know these CVEs might be false positive if yes, please
> share the description.
>
>
>
> CVE-2025-68146
> CVE-2025-68158
> CVE-2025-69277
> CVE-2026-0994
> CVE-2026-21226
> CVE-2026-21441
> CVE-2026-21860
> CVE-2026-22701
> CVE-2026-22702
> CVE-2026-23490
> CVE-2026-23949
> CVE-2026-24049
> CVE-2026-26007
>
>
>
> *Rogelio Villafaña*
>
> DevOps Specialist | ATT BSSe
>
> [image: Shape Description automatically generated with medium confidence]
>
>
>
> *This email and the information contained herein is proprietary and
> confidential and subject to the Amdocs Email Terms of Service, which you
> may review at* *https://www.amdocs.com/about/email-terms-of-service*
> <https://www.amdocs.com/about/email-terms-of-service>
>
>
>
>
> --
>
> Thanks,
>
> Aditya Toshniwal
>
> pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com*
> <https://www.enterprisedb.com/>
>
> "Don't Complain about Heat, Plant a TREE"
>
> *This email and the information contained herein is proprietary and
> confidential and subject to the Amdocs Email Terms of Service, which you
> may review at* *https://www.amdocs.com/about/email-terms-of-service*
> <https://www.amdocs.com/about/email-terms-of-service>
>

--
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com*
<https://www.enterprisedb.com/>
"Don't Complain about Heat, Plant a TREE"