Vulnerability Details CVE-2026-0949
PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 2.7%
CVSS Severity
CVSS v3 Score 6.5
Products affected by CVE-2026-0949
-
cpe:2.3:a:enterprisedb:postgres_enterprise_manager:9.0.0
-
cpe:2.3:a:enterprisedb:postgres_enterprise_manager:9.1.0
-
cpe:2.3:a:enterprisedb:postgres_enterprise_manager:9.1.1
-
cpe:2.3:a:enterprisedb:postgres_enterprise_manager:9.2.0
-
cpe:2.3:a:enterprisedb:postgres_enterprise_manager:9.2.1
-
cpe:2.3:a:enterprisedb:postgres_enterprise_manager:9.2.2
-
cpe:2.3:a:enterprisedb:postgres_enterprise_manager:9.3.0
-
cpe:2.3:a:enterprisedb:postgres_enterprise_manager:9.3.1
-
cpe:2.3:a:enterprisedb:postgres_enterprise_manager:9.4.0
-
cpe:2.3:a:enterprisedb:postgres_enterprise_manager:9.4.1
-
cpe:2.3:a:enterprisedb:postgres_enterprise_manager:9.5.0
-
cpe:2.3:a:enterprisedb:postgres_enterprise_manager:9.5.1
-
cpe:2.3:a:enterprisedb:postgres_enterprise_manager:9.6.0
-
cpe:2.3:a:enterprisedb:postgres_enterprise_manager:9.7.0
-
cpe:2.3:a:enterprisedb:postgres_enterprise_manager:9.8.0