CVE-2026-0949 - PEM 9.8 Cross-site scripting
First Published: 2026/01/16
Last Updated: 2026/01/16
Summary
Postgres Enterprise Manager (PEM) versions 9.8 and earlier are affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute arbitrary HTML/JavaScript in a user's browser via query result rendering, it runs in the browser.
Vulnerability details
CVE-ID: CVE-2026-0949
CVSS Base Score: 5.4
CVSS Temporal Score: Undefined
CVSS Environmental Score: Undefined
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Affected products and versions
- Affected Product: Postgres Enterprise Manager (PEM)
- Affected Versions: All versions prior to PEM 9.8.1.
Remediation/fixes
Remediation is available in PEM 9.8.1.
References
- https://www.first.org/cvss/calculator/3.1
- CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Related information
Acknowledgement
Source: MITRE
Change history
16 Jan 2026: Original Copy Published
Disclaimer
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.
Could this page be better? Report a problem or suggest an addition!