Merge pull request #7064 from EnterpriseDB/CVE-2026-0949

Update CVE advisory for CVE-2026-0949

Author: gvasquezvargas

advocacy_docs/security/advisories/cve20260949.mdx

@@ -0,0 +1,56 @@
+---
+title: CVE-2026-0949 - PEM 9.8 Cross-site scripting
+navTitle: CVE-2026-0949
+affectedProducts: Postgres Enterprise Manager (PEM)
+---
+
+First Published: 2026/01/16
+
+Last Updated: 2026/01/16
+
+## Summary
+
+Postgres Enterprise Manager (PEM) versions 9.8 and earlier are affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute arbitrary HTML/JavaScript in a user's browser via query result rendering, it runs in the browser.
+
+
+## Vulnerability details
+
+CVE-ID:  [CVE-2026-0949](https://nvd.nist.gov/vuln/detail/CVE-2026-0949)
+
+CVSS Base Score: 5.4
+
+CVSS Temporal Score: Undefined
+
+CVSS Environmental Score: Undefined
+
+CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+
+## Affected products and versions
+
+* Affected Product: Postgres Enterprise Manager (PEM)
+* Affected Versions: All versions prior to PEM 9.8.1.
+
+## Remediation/fixes
+
+Remediation is available in PEM 9.8.1.
+
+## References
+
+* [https://www.first.org/cvss/calculator/3.1](https://www.first.org/cvss/calculator/3.1)
+* [CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](https://cwe.mitre.org/data/definitions/79.html)
+
+## Related information
+
+* [EnterpriseDB](https://www.enterprisedb.com/)
+* [EDB Blogs link](https://enterprisedb.com/blog/)
+
+## Acknowledgement
+Source: MITRE
+
+## Change history
+
+16 Jan 2026: Original Copy Published
+
+## Disclaimer
+
+This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.

advocacy_docs/security/advisories/index.mdx

@@ -6,6 +6,7 @@ iconName: Security
 hideKBLink: true
 hideToC: false
 navigation:
+- cve20260949
 - cve20252506
 - cve202514038
 - cve20244545
@@ -25,10 +26,27 @@ navigation:
 
 
 
+<h2>Released 2026</h2>
 
+<table class="table-bordered">
+<tr><td>
+<details><summary><h3 style="display:inline"> CVE-2026-0949 </h3>
+<span>
+&nbsp;&nbsp;<a href="cve20260949">Read Advisory</a>
+&nbsp;&nbsp;Published: </span><span>2026/01/16</span><br/>
+<h4>PEM 9.8 Cross-site scripting </h4>
+<h5>All versions of PEM prior to 9.8.1</h5>
+</summary>
+<hr/>
+<em>Summary:</em>&nbsp;
+Postgres Enterprise Manager (PEM) versions 9.8 and earlier are affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute arbitrary HTML/JavaScript in a user's browser via query result rendering, it runs in the browser.
+<br/>
+<a href="cve20260949">Read More...</a>
+</details></td></tr>
+
+</table>   
 
 
-   
 <h2>Released 2025</h2>
 
 <table class="table-bordered">

advocacy_docs/security/index.mdx

@@ -32,6 +32,22 @@ This policy outlines how EnterpriseDB handles disclosures related to suspected v
 <table class="table-bordered">
 
 
+<tr><td>
+<details><summary><h3 style="display:inline"> CVE-2026-0949 </h3>
+<span>
+&nbsp;&nbsp;<a href="advisories/cve20260949">Read Advisory</a>
+&nbsp;&nbsp;Published: </span><span>2026/01/16</span><br/>
+<h4>PEM 9.8 Cross-site scripting </h4>
+<h5>All versions of PEM prior to 9.8.1</h5>
+</summary>
+<hr/>
+<em>Summary:</em>&nbsp;
+Postgres Enterprise Manager (PEM) versions 9.8 and earlier are affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute arbitrary HTML/JavaScript in a user's browser via query result rendering, it runs in the browser.
+<br/>
+<a href="advisories/cve20260949">Read More...</a>
+</details></td></tr>
+
+
 <tr><td>
 <details><summary><h3 style="display:inline">CVE-2025-2506 </h3>
 <span>