[QGIS-Developer] PostgreSQL vulnerability in the QGIS application

Régis Haubourg regis.haubourg at gmail.com
Thu Jul 2 02:21:22 PDT 2026


Hi ,

Your scanner finds Postgres CVE because OSGEO4W ships clients for 
postgresql, ie psql, libpq and common libs.

The CVE catalog often mix client and server together, which can be a 
reason for false positives.
Please check if the CVE concerns the client, in which case, you can 
raise the issue on the security list security at qgis.org, which is private 
... because security is one a the few reasons were we fix things 
privately and disclose them afterward .

 From what I read "Buffer over-read in PostgreSQL GB18030 encoding 
validation allows a database input provider to achieve temporary denial 
of service on platforms where a 1-byte over-read can elicit process 
termination. This affects the database server and also libpq. Versions 
before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected." , 
libpq is affected, so yes, this version is concerned.

Please be all aware that the whole numeric ecosystems faces massive CVE 
disclosure because (or thanks to) AI helping security researchers. We do 
our best to upgrade libraries as soon as critical vulnerabilities are 
confirmed. For lower level vulnerabilities, we keep on track with our 
monthly release schedule.

To sum up :

- for production and IT deployment, please stick to LTR

- please continue to raise your scanner issues on security at qgis.org, 
after having checked the latest installers before

- please consider subscribing to a QGIS sustaining membership. We are 
trying to get enough fund so that permanent staff can handle this 
security and compliance wave. If you make value from QGIS, and consider 
security and digital strategic autonomy priorities , our membership is 
easy to find at https://www.qgis.org/#sustaining-members .

Best regards


Bien cordialement,
Régis Haubourg

On 02/07/2026 09:33, HarishKumar J, (Springbord) via QGIS-Developer wrote:
> Dear Dror,
>
> Thank you for the clarification regarding the bundled installations.
>
> Based on your recommendation to use the Long Term Release (LTR) 
> version for organizational settings, we will look into the current LTR 
> 3.44. We will also monitor the upcoming release of QGIS 4.2.4 in October.
>
> Since QGIS does not come with a prebundled PostgreSQL installation, we 
> will investigate our internal deployment process to identify how 
> PostgreSQL 17.0.3 was included and proceed with the necessary upgrades 
> independently.
>
> Thanks
> Harish
>
>
> On Thu, Jul 2, 2026 at 12:17 PM Dror Bogin <dror.bogin at gmail.com> wrote:
>
>     Hi Harish,
>
>     Neither the standalone nor the OSGeo4W installations of QGIS come
>     with a prebundled PostgreSQL installation.
>     Since it sounds like you installed QGIS in an organization, it is
>     mostly recommended to use the LTR (Long Term Release) version
>     (currently 3.44) in that setting, not the newest version.
>     The first LTR of QGIS 4.x is planned to release in October, with
>     QGIS 4.2.4.
>
>     On Thu, 2 Jul 2026 at 08:48, HarishKumar J, (Springbord) via
>     QGIS-Developer <qgis-developer at lists.osgeo.org> wrote:
>
>         Hi There,
>
>         I hope you are well!
>
>         We are currently using QGIS version 4.0.3 and have identified
>         that it comes bundled with PostgreSQL version 17.0.3.
>
>         Our security monitoring has flagged multiple high-priority
>         vulnerabilities within this version of PostgreSQL (including
>         CVE-2025-4207 and others). According to PostgreSQL security
>         recommendations, a secure version would be 17.10 or higher.
>
>         Could you please confirm if there is a newer release of QGIS
>         that bundles a secure version of PostgreSQL? Additionally, if
>         a bundled update is not yet available, please advise on the
>         recommended process for upgrading the internal PostgreSQL
>         component to version 17.10 or above without impacting the QGIS
>         application's stability.
>
>         Thanks,
>         Harish
>         _______________________________________________
>         QGIS-Developer mailing list
>         QGIS-Developer at lists.osgeo.org
>         List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>         Unsubscribe:
>         https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info:https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe:https://lists.osgeo.org/mailman/listinfo/qgis-developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20260702/8ecfc77a/attachment.htm>


More information about the QGIS-Developer mailing list