CVE-2026-0949 is a stored Cross-site Scripting (XSS) vulnerability affecting EnterpriseDB's Postgres Enterprise Manager (PEM) versions prior to 9.8.1. The vulnerability arises from improper neutralization of input during web page generation, specifically in the Manage Charts feature. Users with elevated privileges—namely superuser, pem_admin, or pem_super_admin—can inject arbitrary JavaScript code when creating new charts. This malicious script is stored and subsequently executed in the browsers of any users who access the affected charts, potentially allowing attackers to hijack sessions, steal credentials, or perform actions on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.5, indicating medium severity. The attack vector is network-based (AV:N), with low attack complexity (AC:L), but requires high privileges (PR:H) and no user interaction (UI:N). The scope is unchanged (S:U), and the impact on confidentiality and integrity is high (C:H/I:H), while availability is unaffected (A:N). No public exploits have been reported yet. The vulnerability is limited to PEM version 9.x and earlier, and only users with specific administrative privileges can exploit it, which somewhat limits the attack surface. However, the stored nature of the XSS means that any user viewing the compromised charts can be affected, increasing the risk of lateral impact within organizations.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of data managed through PEM. Attackers with administrative access could inject malicious scripts that compromise session tokens, steal sensitive information, or perform unauthorized actions within the PEM interface. This could lead to unauthorized access to database management functions or leakage of sensitive operational data. Since PEM is used for managing PostgreSQL databases, which are widely deployed in enterprise environments, exploitation could affect critical infrastructure and business operations. The requirement for high privileges to exploit reduces the likelihood of external attackers directly leveraging this vulnerability, but insider threats or compromised administrative accounts could be leveraged. The stored XSS nature means that even non-privileged users who view the charts could be impacted, potentially leading to broader compromise. Disruption of database management activities could also indirectly affect availability of services dependent on these databases.

European organizations should immediately upgrade PEM to version 9.8.1 or later, where the vulnerability is patched. Until patching is possible, restrict access to the Manage Charts menu strictly to trusted administrators and monitor for unusual activity. Implement strict role-based access controls (RBAC) to minimize the number of users with pem_admin or pem_super_admin privileges. Conduct regular audits of user privileges and review chart configurations for suspicious or unauthorized scripts. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the PEM web interface. Additionally, educate administrators about the risks of injecting untrusted input and encourage safe handling of chart creation. Network segmentation and monitoring of PEM traffic can help detect exploitation attempts. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential compromises.