{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-0949","assignerOrgId":"20be33e2-bf35-4d13-8fad-18bd2f3e3659","state":"PUBLISHED","assignerShortName":"EDB","dateReserved":"2026-01-14T16:55:03.874Z","datePublished":"2026-01-16T16:29:42.134Z","dateUpdated":"2026-01-16T16:49:37.156Z"},"containers":{"cna":{"providerMetadata":{"orgId":"20be33e2-bf35-4d13-8fad-18bd2f3e3659","shortName":"EDB","dateUpdated":"2026-01-16T16:29:42.134Z"},"problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-79","description":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","type":"CWE"}]}],"affected":[{"vendor":"EnterpriseDB","product":"Postgres Enterprise Manager (PEM)","versions":[{"version":"9","status":"affected","lessThan":"9.8.1","versionType":"custom"}],"defaultStatus":"affected"}],"descriptions":[{"lang":"en","value":"PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu."}],"metrics":[{"format":"CVSS","cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"}}],"source":{"discovery":"INTERNAL"},"references":[{"url":"https://www.enterprisedb.com/docs/security/advisories/cve20260949/"}]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-01-16T16:49:16.831356Z","id":"CVE-2026-0949","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-16T16:49:37.156Z"}}]}}