CVE-2026-0949

MEDIUM EPSS 10.0%

Published Jan 16, 20265mo ago · Modified Jun 17, 20261w ago

4.8 CVSS 3.1

Medium

Published Jan 16, 2026 5mo ago

Last Modified Jun 17, 2026 1w ago

Description

PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu.

CVSS Details

Base Score

4.8

Exploitability

1.7

Impact

2.7

Vector string

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction Required

Scope Changed

Confidentiality Low

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

10.0% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

Vendor	Product	Version	Range
enterprisedb	postgres_enterprise_manager	*	<9.8.1

References 1

enterprisedb.com https://www.enterprisedb.com/docs/security/advisories/cve20260949/

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.