FKIE_CVE-2026-0949

Vulnerability from fkie_nvd - Published: 2026-01-16 17:15 - Updated: 2026-02-10 17:25
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu.
References
20be33e2-bf35-4d13-8fad-18bd2f3e3659https://www.enterprisedb.com/docs/security/advisories/cve20260949/Vendor Advisory
Impacted products
Vendor Product Version
enterprisedb postgres_enterprise_manager *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:enterprisedb:postgres_enterprise_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "36756BDF-F614-4035-B6CC-1BED2359F574",
              "versionEndExcluding": "9.8.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu."
    },
    {
      "lang": "es",
      "value": "Las versiones de PEM anteriores a la 9.8.1 est\u00e1n afectadas por una vulnerabilidad de cross-site scripting (XSS) almacenado que permite a los usuarios con acceso al men\u00fa \u0027Manage Charts\u0027 inyectar JavaScript arbitrario al crear un nuevo gr\u00e1fico, el cual es luego ejecutado por cualquier usuario que acceda al gr\u00e1fico. Por defecto, solo el superusuario y los usuarios con privilegios pem_admin o pem_super_admin pueden acceder al men\u00fa \u0027Manage Charts\u0027."
    }
  ],
  "id": "CVE-2026-0949",
  "lastModified": "2026-02-10T17:25:39.597",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.2,
        "source": "20be33e2-bf35-4d13-8fad-18bd2f3e3659",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-01-16T17:15:54.047",
  "references": [
    {
      "source": "20be33e2-bf35-4d13-8fad-18bd2f3e3659",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.enterprisedb.com/docs/security/advisories/cve20260949/"
    }
  ],
  "sourceIdentifier": "20be33e2-bf35-4d13-8fad-18bd2f3e3659",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "20be33e2-bf35-4d13-8fad-18bd2f3e3659",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.