diff --git a/Android/android.py b/Android/android.py
index 75f73cd30993da..e6090aa1d80db0 100755
--- a/Android/android.py
+++ b/Android/android.py
@@ -187,7 +187,7 @@ def unpack_deps(host, prefix_dir):
     os.chdir(prefix_dir)
     deps_url = "https://github.com/beeware/cpython-android-source-deps/releases/download"
     for name_ver in ["bzip2-1.0.8-3", "libffi-3.4.4-3", "openssl-3.0.15-4",
-                     "sqlite-3.49.1-0", "xz-5.4.6-1", "zstd-1.5.7-1"]:
+                     "sqlite-3.50.4-0", "xz-5.4.6-1", "zstd-1.5.7-1"]:
         filename = f"{name_ver}-{host}.tar.gz"
         download(f"{deps_url}/{name_ver}/{filename}")
         shutil.unpack_archive(filename)
diff --git a/Mac/BuildScript/build-installer.py b/Mac/BuildScript/build-installer.py
index b31cb766a468f4..c6002a5c30bd9c 100755
--- a/Mac/BuildScript/build-installer.py
+++ b/Mac/BuildScript/build-installer.py
@@ -37,6 +37,7 @@
 Usage: see USAGE variable in the script.
 """
 import platform, os, sys, getopt, textwrap, shutil, stat, time, pwd, grp
+import hashlib
 try:
     import urllib2 as urllib_request
 except ImportError:
@@ -359,9 +360,9 @@ def library_recipes():
                   ),
           ),
           dict(
-              name="SQLite 3.49.1",
-              url="https://sqlite.org/2025/sqlite-autoconf-3490100.tar.gz",
-              checksum="106642d8ccb36c5f7323b64e4152e9b719f7c0215acf5bfeac3d5e7f97b59254",
+              name="SQLite 3.50.4",
+              url="https://www.sqlite.org/2025/sqlite-autoconf-3500400.tar.gz",
+              checksum="sha3-256:330bb88febc08814d49406391891eddac59e5f812e87b83c27ab172687554375",
               extra_cflags=('-Os '
                             '-DSQLITE_ENABLE_FTS5 '
                             '-DSQLITE_ENABLE_FTS4 '
@@ -795,7 +796,7 @@ def downloadURL(url, fname):
 def verifyThirdPartyFile(url, checksum, fname):
     """
     Download file from url to filename fname if it does not already exist.
-    Abort if file contents does not match supplied md5 checksum.
+    Abort if file contents does not match supplied hashlib checksum.
     """
     name = os.path.basename(fname)
     if os.path.exists(fname):
@@ -805,16 +806,30 @@ def verifyThirdPartyFile(url, checksum, fname):
         print("Downloading %s"%(name,))
         downloadURL(url, fname)
         print("Archive for %s stored as %s"%(name, fname))
-    if len(checksum) == 32:
+    if ':' in checksum:
+        algo, _, checksum = checksum.partition(':')
+        assert algo in hashlib.algorithms_guaranteed, f"Unsupported {algo}, try sha3-256 or sha256 instead."
+        if algo in ("md5", "sha1"):
+            raise ValueError(f"Known insecure checksum algorithm {algo} for {fname}.")
+        if algo.startswith(("shake", "blake")):
+            raise ValueError(f"Please stick to sha2 or sha3 standard checksum algorithms, not {algo}")
+    # TODO remove length based logic AND legacy md5s after updating the ones we already list.
+    elif len(checksum) == 32:
         algo = 'md5'
+        print("WARNING: insecure md5 used for {fname}", file=sys.stderr)
     elif len(checksum) == 64:
         algo = 'sha256'
     else:
         raise ValueError(checksum)
-    if os.system(
-            'CHECKSUM=$(openssl %s %s) ; test "${CHECKSUM##*= }" = "%s"'
-                % (algo, shellQuote(fname), checksum) ):
-        fatal('%s checksum mismatch for file %s' % (algo, fname))
+    with open(fname, 'rb') as downloaded_file:
+        if hasattr(hashlib, 'file_digest'):
+            hasher = hashlib.file_digest(downloaded_file, algo)  # 3.11+
+        else:
+            hasher = hashlib.new(algo, downloaded_file.read())
+        computed_checksum = hasher.hexdigest()
+        if computed_checksum != checksum:
+            fatal(f"{algo} hashlib checksum mismatch for file {fname}")
+
 
 def build_universal_openssl(basedir, archList):
     """
diff --git a/Misc/NEWS.d/next/Windows/2025-07-27-02-16-53.gh-issue-137134.W0WpDF.rst b/Misc/NEWS.d/next/Windows/2025-07-27-02-16-53.gh-issue-137134.W0WpDF.rst
new file mode 100644
index 00000000000000..ddccf95b7d039a
--- /dev/null
+++ b/Misc/NEWS.d/next/Windows/2025-07-27-02-16-53.gh-issue-137134.W0WpDF.rst
@@ -0,0 +1 @@
+Update Windows installer to ship with SQLite 3.50.4.
diff --git a/Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst b/Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst
new file mode 100644
index 00000000000000..957270f5abae93
--- /dev/null
+++ b/Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst
@@ -0,0 +1 @@
+Update macOS installer to ship with SQLite version 3.50.4.
diff --git a/Misc/externals.spdx.json b/Misc/externals.spdx.json
index 69f3beec82ed34..a87af7f9173780 100644
--- a/Misc/externals.spdx.json
+++ b/Misc/externals.spdx.json
@@ -91,21 +91,21 @@
       "checksums": [
         {
           "algorithm": "SHA256",
-          "checksumValue": "e335aeb44fa36cde60ecbb6a9f8be6f5d449d645ce9b0199ee53a7e6728d19d2"
+          "checksumValue": "fb5ab81f27612b0a7b4861ba655906c76dc85ee969e7a4905d2075aff931e8d0"
         }
       ],
-      "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/sqlite-3.49.1.0.tar.gz",
+      "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/sqlite-3.50.4.0.tar.gz",
       "externalRefs": [
         {
           "referenceCategory": "SECURITY",
-          "referenceLocator": "cpe:2.3:a:sqlite:sqlite:3.49.1.0:*:*:*:*:*:*:*",
+          "referenceLocator": "cpe:2.3:a:sqlite:sqlite:3.50.4.0:*:*:*:*:*:*:*",
           "referenceType": "cpe23Type"
         }
       ],
       "licenseConcluded": "NOASSERTION",
       "name": "sqlite",
       "primaryPackagePurpose": "SOURCE",
-      "versionInfo": "3.49.1.0"
+      "versionInfo": "3.50.4.0"
     },
     {
       "SPDXID": "SPDXRef-PACKAGE-tcl-core",
diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat
index e29054f5734d49..eff8d1ccd7f146 100644
--- a/PCbuild/get_externals.bat
+++ b/PCbuild/get_externals.bat
@@ -56,7 +56,7 @@ set libraries=%libraries%                                       bzip2-1.0.8
 if NOT "%IncludeLibffiSrc%"=="false" set libraries=%libraries%  libffi-3.4.4
 if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries%     openssl-3.0.16
 set libraries=%libraries%                                       mpdecimal-4.0.0
-set libraries=%libraries%                                       sqlite-3.49.1.0
+set libraries=%libraries%                                       sqlite-3.50.4.0
 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.15.0
 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.15.0
 set libraries=%libraries%                                       xz-5.2.5
diff --git a/PCbuild/python.props b/PCbuild/python.props
index ddc7696d2762fe..e1c2ff3fe3cc11 100644
--- a/PCbuild/python.props
+++ b/PCbuild/python.props
@@ -74,7 +74,7 @@
   <Import Project="$(ExternalProps)" Condition="$(ExternalProps) != '' and Exists('$(ExternalProps)')" />
 
   <PropertyGroup>
-    <sqlite3Dir Condition="$(sqlite3Dir) == ''">$(ExternalsDir)sqlite-3.49.1.0\</sqlite3Dir>
+    <sqlite3Dir Condition="$(sqlite3Dir) == ''">$(ExternalsDir)sqlite-3.50.4.0\</sqlite3Dir>
     <bz2Dir Condition="$(bz2Dir) == ''">$(ExternalsDir)bzip2-1.0.8\</bz2Dir>
     <lzmaDir Condition="$(lzmaDir) == ''">$(ExternalsDir)xz-5.2.5\</lzmaDir>
     <libffiDir Condition="$(libffiDir) == ''">$(ExternalsDir)libffi-3.4.4\</libffiDir>
diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt
index 3ae3255d933967..27c0d382281bdb 100644
--- a/PCbuild/readme.txt
+++ b/PCbuild/readme.txt
@@ -237,7 +237,7 @@ _ssl
     again when building.
 
 _sqlite3
-    Wraps SQLite 3.49.1, which is itself built by sqlite3.vcxproj
+    Wraps SQLite 3.50.4, which is itself built by sqlite3.vcxproj
     Homepage:
         https://www.sqlite.org/