{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-03T02:24:01.998","vulnerabilities":[{"cve":{"id":"CVE-2026-0949","sourceIdentifier":"20be33e2-bf35-4d13-8fad-18bd2f3e3659","published":"2026-01-16T17:15:54.047","lastModified":"2026-02-10T17:25:39.597","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu."},{"lang":"es","value":"Las versiones de PEM anteriores a la 9.8.1 están afectadas por una vulnerabilidad de cross-site scripting (XSS) almacenado que permite a los usuarios con acceso al menú 'Manage Charts' inyectar JavaScript arbitrario al crear un nuevo gráfico, el cual es luego ejecutado por cualquier usuario que acceda al gráfico. Por defecto, solo el superusuario y los usuarios con privilegios pem_admin o pem_super_admin pueden acceder al menú 'Manage Charts'."}],"metrics":{"cvssMetricV31":[{"source":"20be33e2-bf35-4d13-8fad-18bd2f3e3659","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.2,"impactScore":5.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.7,"impactScore":2.7}]},"weaknesses":[{"source":"20be33e2-bf35-4d13-8fad-18bd2f3e3659","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:enterprisedb:postgres_enterprise_manager:*:*:*:*:*:*:*:*","versionEndExcluding":"9.8.1","matchCriteriaId":"36756BDF-F614-4035-B6CC-1BED2359F574"}]}]}],"references":[{"url":"https://www.enterprisedb.com/docs/security/advisories/cve20260949/","source":"20be33e2-bf35-4d13-8fad-18bd2f3e3659","tags":["Vendor Advisory"]}]}}]}