CVE-2026-0949 - PEM 9.8 Cross-site scripting
First Published: 2026/01/16
Last Updated: 2026/01/16
Summary
PEM versions prior to 9.8.1 are affected by a stored Cross-Site Scripting (XSS) vulnerability that allows users with access to the “Manage Charts” menu to inject arbitrary Javascript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the “Manage Charts” menu.
Vulnerability details
CVE-ID: CVE-2026-0949
CVSS Base Score: 6.5
CVSS Temporal Score: Undefined
CVSS Environmental Score: Undefined
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Affected products and versions
- Affected Product: Postgres Enterprise Manager (PEM)
- Affected Versions: All versions prior to PEM 9.8.1.
Remediation/fixes
Remediation is available in PEM 9.8.1.
References
- https://www.first.org/cvss/calculator/3.1
- CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Related information
Acknowledgement
Source: MITRE
Change history
16 Jan 2026: Original Copy Published
Disclaimer
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.
Could this page be better? Report a problem or suggest an addition!