docs: assign CVE IDs to v9.15 release-notes placeholders

asheshv · asheshv · commit ba9ff51aaaa5 · 2026-05-05T16:14:02.000+05:30
Replaces the "(CVE pending)" markers on the seven placeholder issues with their assigned identifiers: #9830 -> CVE-2026-7813 (cross-user data access / shared-server escalation) #9865 -> CVE-2026-7814 (stored XSS via crafted PostgreSQL object names) #9898 -> CVE-2026-7815 (SQL injection in Maintenance tool option values) #9899 -> CVE-2026-7816 (OS command injection in Import/Export query export) #9900 -> CVE-2026-7817 (LFI/SSRF in LLM API configuration endpoints) #9901 -> CVE-2026-7818 (unsafe deserialization in session manager) #9902 -> CVE-2026-7819 (symlink path traversal in file manager) #9904 -> CVE-2026-7820 (account-lockout bypass via Flask-Security /login) #9835 is a follow-up to #9830 and shares CVE-2026-7813, so its parenthetical is dropped rather than replaced with a separate ID. To be revealed publicly when this branch is pushed for the 9.15 release.
diff --git a/docs/en_US/release_notes_9_15.rst b/docs/en_US/release_notes_9_15.rst
@@ -38,15 +38,15 @@ Bug fixes
 *********
 
   | `Issue #9656 <https://github.com/pgadmin-org/pgadmin4/issues/9656>`_ -  Use absolute paths for ``a2enmod`` and ``a2enconf`` in the Debian setup script so it works when ``/usr/sbin`` is not on PATH.
-  | `Issue #9830 <https://github.com/pgadmin-org/pgadmin4/issues/9830>`_ -  Fix cross-user data access and shared-server privilege escalation in server mode (CVE pending). Also applies the ``@with_object_filters`` access-control decorator to ``ServerNode.list``.
-  | `Issue #9835 <https://github.com/pgadmin-org/pgadmin4/issues/9835>`_ -  Tighten Shared Server feature parity, owner-only field handling, and write guards as a follow-up to the data-isolation hardening (CVE pending).
-  | `Issue #9865 <https://github.com/pgadmin-org/pgadmin4/issues/9865>`_ -  Fix stored cross-site scripting (XSS) via crafted PostgreSQL object names rendered in the Browser Tree and Explain Visualizer (CVE pending). Reported by Fahar Abbas.
-  | `Issue #9898 <https://github.com/pgadmin-org/pgadmin4/issues/9898>`_ -  Fix SQL injection in Maintenance tool option values (CVE pending). Reported by j3seer.
-  | `Issue #9899 <https://github.com/pgadmin-org/pgadmin4/issues/9899>`_ -  Fix OS command injection in Import/Export query export (CVE pending). Reported by Chung Kim (chungkn), OneMount Group.
-  | `Issue #9900 <https://github.com/pgadmin-org/pgadmin4/issues/9900>`_ -  Fix local-file inclusion and server-side request forgery in LLM API configuration endpoints (CVE pending). Reported by j3seer.
-  | `Issue #9901 <https://github.com/pgadmin-org/pgadmin4/issues/9901>`_ -  Fix unsafe deserialization in the session manager that could lead to remote code execution (CVE pending). Also encrypts session files at rest using Fernet, restricts session-file permissions to 0o600, switches the session-digest default from SHA-1 to SHA-256, drops several non-roundtrippable live objects from the session (``AuthSourceManager`` and the Azure, RDS, Google Cloud, and BigAnimal cloud-provider instances), tightens DATA_DIR file and directory permissions at creation, creates ``pgadmin4.log`` with mode 0o600, hardens ``EnhancedRotatingFileHandler._open`` against rotation failures, and bounds the ``user_info_server`` prompt retry loop so a non-interactive caller cannot spin forever. Reported by Fernando Bortotti.
-  | `Issue #9902 <https://github.com/pgadmin-org/pgadmin4/issues/9902>`_ -  Fix symlink-based path traversal in the file manager (CVE pending). Reported by Fernando Bortotti.
-  | `Issue #9904 <https://github.com/pgadmin-org/pgadmin4/issues/9904>`_ -  Fix account-lockout bypass on Flask-Security's default ``/login`` view by overriding ``User.is_active`` and ``User.is_locked()`` so the ``locked`` field is honored on every authentication path (CVE pending). Reported by Fernando Bortotti.
+  | `Issue #9830 <https://github.com/pgadmin-org/pgadmin4/issues/9830>`_ -  Fix cross-user data access and shared-server privilege escalation in server mode (CVE-2026-7813). Also applies the ``@with_object_filters`` access-control decorator to ``ServerNode.list``.
+  | `Issue #9835 <https://github.com/pgadmin-org/pgadmin4/issues/9835>`_ -  Tighten Shared Server feature parity, owner-only field handling, and write guards as a follow-up to the data-isolation hardening.
+  | `Issue #9865 <https://github.com/pgadmin-org/pgadmin4/issues/9865>`_ -  Fix stored cross-site scripting (XSS) via crafted PostgreSQL object names rendered in the Browser Tree and Explain Visualizer (CVE-2026-7814). Reported by Fahar Abbas.
+  | `Issue #9898 <https://github.com/pgadmin-org/pgadmin4/issues/9898>`_ -  Fix SQL injection in Maintenance tool option values (CVE-2026-7815). Reported by j3seer.
+  | `Issue #9899 <https://github.com/pgadmin-org/pgadmin4/issues/9899>`_ -  Fix OS command injection in Import/Export query export (CVE-2026-7816). Reported by Chung Kim (chungkn), OneMount Group.
+  | `Issue #9900 <https://github.com/pgadmin-org/pgadmin4/issues/9900>`_ -  Fix local-file inclusion and server-side request forgery in LLM API configuration endpoints (CVE-2026-7817). Reported by j3seer.
+  | `Issue #9901 <https://github.com/pgadmin-org/pgadmin4/issues/9901>`_ -  Fix unsafe deserialization in the session manager that could lead to remote code execution (CVE-2026-7818). Also encrypts session files at rest using Fernet, restricts session-file permissions to 0o600, switches the session-digest default from SHA-1 to SHA-256, drops several non-roundtrippable live objects from the session (``AuthSourceManager`` and the Azure, RDS, Google Cloud, and BigAnimal cloud-provider instances), tightens DATA_DIR file and directory permissions at creation, creates ``pgadmin4.log`` with mode 0o600, hardens ``EnhancedRotatingFileHandler._open`` against rotation failures, and bounds the ``user_info_server`` prompt retry loop so a non-interactive caller cannot spin forever. Reported by Fernando Bortotti.
+  | `Issue #9902 <https://github.com/pgadmin-org/pgadmin4/issues/9902>`_ -  Fix symlink-based path traversal in the file manager (CVE-2026-7819). Reported by Fernando Bortotti.
+  | `Issue #9904 <https://github.com/pgadmin-org/pgadmin4/issues/9904>`_ -  Fix account-lockout bypass on Flask-Security's default ``/login`` view by overriding ``User.is_active`` and ``User.is_locked()`` so the ``locked`` field is honored on every authentication path (CVE-2026-7820). Reported by Fernando Bortotti.
 
 Additional changes (no associated issue)
 ****************************************
