[QGIS-Developer] PostgreSQL vulnerability in the QGIS application

Greg Troxel gdt at lexort.com
Thu Jul 2 05:02:22 PDT 2026


"HarishKumar J, (Springbord) via QGIS-Developer"
<qgis-developer at lists.osgeo.org> writes:

> We are currently using QGIS version 4.0.3 and have identified that it comes
> bundled with PostgreSQL version 17.0.3.

You should understand that qgis is fundamentally a source code release,
and that therefore it is incorrect in general to speak of it as having a
specific associated postgresql version.

It is likely that you are using some specific bundled installer that
also contains dependencies, for a specific operating system -- but you
did not give any information about that.

> Could you please confirm if there is a newer release of QGIS that bundles a
> secure version of PostgreSQL? Additionally, if a bundled update is not yet
> available, please advise on the recommended process for upgrading the
> internal PostgreSQL component to version 17.10 or above without impacting
> the QGIS application's stability.

This is open source, and you are (legally) able to modify the control
files for the bundle and produce your own updated installers -- and then
contribute changes back.  Given your organization's security concerns,
you may wish to hire an employee or consultant who can help with this.
I would expect that the cost of consulting or a managed build service
would be far below the cost of proprietary licenses for proprietary
GIS software.


Separately, if you are concerned about stability, it is a surprising and
perhaps unwise choice to be using 4.0.3.  qgis continues to recommend
3.44.x as the stable version.


More information about the QGIS-Developer mailing list