[QGIS-Developer] PostgreSQL vulnerability in the QGIS application
Dror Bogin
dror.bogin at gmail.com
Wed Jul 1 23:47:10 PDT 2026
Hi Harish,
Neither the standalone nor the OSGeo4W installations of QGIS come with a
prebundled PostgreSQL installation.
Since it sounds like you installed QGIS in an organization, it is mostly
recommended to use the LTR (Long Term Release) version (currently 3.44) in
that setting, not the newest version.
The first LTR of QGIS 4.x is planned to release in October, with QGIS 4.2.4.
On Thu, 2 Jul 2026 at 08:48, HarishKumar J, (Springbord) via QGIS-Developer
<qgis-developer at lists.osgeo.org> wrote:
> Hi There,
>
> I hope you are well!
>
> We are currently using QGIS version 4.0.3 and have identified that it
> comes bundled with PostgreSQL version 17.0.3.
>
> Our security monitoring has flagged multiple high-priority vulnerabilities
> within this version of PostgreSQL (including CVE-2025-4207 and others).
> According to PostgreSQL security recommendations, a secure version would be
> 17.10 or higher.
>
> Could you please confirm if there is a newer release of QGIS that bundles
> a secure version of PostgreSQL? Additionally, if a bundled update is not
> yet available, please advise on the recommended process for upgrading the
> internal PostgreSQL component to version 17.10 or above without impacting
> the QGIS application's stability.
>
> Thanks,
> Harish
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20260702/46c5ba38/attachment-0001.htm>
More information about the QGIS-Developer
mailing list