CVE-2026-0949 - Vulnerability Details

- Stored XSS in EnterpriseDB Postgres Enterprise Manager via Manage Charts Menu

Description

PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu.

Published: 2026-01-16

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

PEM versions before 9.8.1 contain a stored Cross‑Site Scripting flaw that permits users who can create charts in the Manage Charts menu to inject malicious JavaScript. When a chart is viewed, the injected script runs in the victim’s browser. Because only the superuser and users with pem_admin or pem_super_admin roles can create charts, the impact is limited to these high‑privilege accounts but can affect any other user who opens the compromised chart, potentially exposing session data or enabling further attacks.

Affected Systems

EnterpriseDB Postgres Enterprise Manager, all releases earlier than version 9.8.1, accessed via the Manage Charts feature.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5 and an EPSS of less than 1 %, indicating moderate severity but low expected exploit frequency. It is not listed in CISA’s KEV catalog. Exploitation requires authenticated access with pem_admin or pem_super_admin rights to create a chart, after which any user who subsequently opens the chart will have the attacker’s script executed. In typical deployments the attack surface is internal, but compromised privileged credentials or social‑engineering could provide the necessary access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

EnterpriseDB

Postgres Enterprise Manager (PEM)

affected

Version	Status	Constraints
`9`	affected	< 9.8.1

Configuration 1 [-]

cpe:2.3:a:enterprisedb:postgres_enterprise_manager:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Enterprisedb	Postgres Enterprise Manager	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade PostgreSQL Enterprise Manager to version 9.8.1 or later, which removes the XSS flaw.
Restrict the Manage Charts menu to only those accounts that absolutely need it, removing any unnecessary pem_admin or pem_super_admin privileges.
Continuously monitor chart logs and user activity for unexpected script entries, and enforce strict input sanitization or a content‑security policy to mitigate future script injection attempts.

Generated by OpenCVE AI on April 18, 2026 at 05:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.enterprisedb.com/docs/security/advisories/cve20260949/

History

Sat, 18 Apr 2026 06:00:00 +0000

Type	Values Removed	Values Added
Title		Stored XSS in EnterpriseDB Postgres Enterprise Manager via Manage Charts Menu

Tue, 10 Feb 2026 17:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:enterprisedb:postgres_enterprise_manager::::::::

Mon, 19 Jan 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Enterprisedb Enterprisedb postgres Enterprise Manager
Vendors & Products		Enterprisedb Enterprisedb postgres Enterprise Manager

Fri, 16 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 16 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu.
Weaknesses		CWE-79
References		https://www.enterprisedb.com/docs/security/advisories/cve20260949/
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Enterprisedb Postgres Enterprise Manager

MITRE

Status: PUBLISHED

Assigner: EDB

Published: 2026-01-16T16:29:42.134Z

Updated: 2026-01-16T16:49:37.156Z

Reserved: 2026-01-14T16:55:03.874Z

Link: CVE-2026-0949

Vulnrichment

Updated: 2026-01-16T16:49:28.968Z

NVD

Status : Analyzed

Published: 2026-01-16T17:15:54.047

Modified: 2026-02-10T17:25:39.597

Link: CVE-2026-0949

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T05:45:38Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object