Released: 14 May 2026
Bug fixes and security improvements in Postgres Enterprise Manager 10.4.2 include the following:
Security Fixes
| Description | Addresses |
|---|---|
| Fixed CVE-2026-7814 — prevented stored XSS in the browser tree and explain visualizer by rendering crafted PostgreSQL object names via `textContent` instead of `innerHTML` (ported from pgAdmin commit 3294e74). | |
| Fixed CVE-2026-7815 — fixed SQL injection in the Maintenance Tool by allow-list validating the `INDEX_CLEANUP`, `PARALLEL`, `BUFFER_USAGE_LIMIT`, and `TABLESPACE` option fields and routing `reindex_tablespace` through `qtIdent` (ported from pgAdmin commit cf53953d9). | |
| Fixed CVE-2026-7816 — fixed OS command injection in the Import/Export query-export feature by introducing a psql-strtokx-modeled parenthesis-balance parser, rejecting null bytes, normalizing line breaks, and allow-list validating the `format`, `on_error`, and `log_verbosity` parameters (ported from pgAdmin commit 13badc62c). | |
| Fixed CVE-2026-7818 — fixed unsafe pickle deserialization in the file-backed session manager by prepending a SHA-256 HMAC over the serialized body and verifying it with `hmac.compare_digest` before deserialization. Existing session files written by prior versions are silently invalidated on read; users are required to re-authenticate once after upgrade (ported from pgAdmin commit 30a890337). | |
| Fixed CVE-2026-7819 — fixed symbolic-link path traversal in the File Manager by resolving paths through `os.path.realpath` in `check_access_permission` and opening uploads with `O_NOFOLLOW` and `0o600` file mode (ported from pgAdmin commit 435752b83). | |
| Fixed CVE-2026-7820 — fixed account-lockout bypass via the Flask-Security default `/login` endpoint by overriding `User.is_active` and `User.is_locked()` to consult the `locked` column on every authentication path. Includes a SQLite-only data normalization migration; no-op on PostgreSQL config databases (ported from pgAdmin commit d336c1e78). | |
| Updated Cryptography to 46.0.7 to fix CVE-2026-39892, protecting users from potential security vulnerabilities in cryptographic operations. | |
| Updated urllib3 to 2.7.0 to fix BDSA-2026-9851, protecting users from potential security vulnerabilities in HTTP client operations. | |
| Updated Authlib to 1.6.12 to fix CVE-2026-41425, protecting users from potential security vulnerabilities in OAuth and JWT handling. | |
| Updated Mako to 1.3.12 to fix CVE-2026-41205, protecting users from potential security vulnerabilities in template rendering. | |
| Updated axios/follow-redirects to 1.16.0 to fix CVE-2026-40175, CVE-2026-42033, and CVE-2026-42035, protecting users from potential security vulnerabilities in HTTP redirect handling. | |
| Updated PostCSS to 8.5.14 to fix CVE-2026-41305, protecting users from potential security vulnerabilities in CSS processing. |
Bug Fixes
| Description | Addresses |
|---|---|
| PEM upgrade now errors out when an upgrade script fails, preventing silent partial upgrades. | |
| Updated React to 19.2.6 to fix CVE-2026-23869, protecting users from potential security vulnerabilities in the UI rendering layer. | |
| Fixed the upgrade file to handle the `pemhistory` `log_configuration` table for the `log_connections` column. | |
| Fixed an issue where it was not possible to filter by server in the Barman dashboard's candle chart. |