Description
Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none.
Published: 2026-03-31
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that requires administrative privileges, leading to low confidentiality impact and no integrity impact
Action: Apply Patch
AI Analysis

Impact

A stored cross‑site scripting flaw exists in a user interface component of Pega Platform. The vulnerability allows an attacker who can gain administrative access to inject malicious script that is persisted and executed in the browsers of other users who view the affected interface. Because the attacker merely injects client‑side code, the result is a potential phishing or cookie theft scenario, which in turn can lead to low‑level confidentiality compromise and no direct influence on data integrity.

Affected Systems

Pegasystems Pega Infinity, versions 8.1.0 through 25.1.0 are affected by this flaw.

Risk and Exploitability

The CVSS score of 4.8 indicates a low risk level, and the EPSS score of less than 1% reflects a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires administrative rights; therefore the attack vector is limited to privileged accounts. While the impact to confidentiality is low, the presence of administrative access raises the overall risk for organizations that rely on these versions.

Generated by OpenCVE AI on April 3, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact Pegasystems support to obtain the latest security patch or release that addresses the stored XSS flaw.
  • Apply the vendor‑issued patch or upgrade to a version beyond 25.1.0 as soon as it becomes available.
  • Validate and sanitize all user‑supplied input in the affected UI component to prevent script injection.
  • Limit administrative privileges and enforce role‑based access control to reduce the potential attack surface.

Generated by OpenCVE AI on April 3, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Pega
Pega pega Platform
CPEs cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*
Vendors & Products Pega
Pega pega Platform
Metrics cvssV3_1

{'score': 3.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Pegasystems
Pegasystems pega Infinity
Vendors & Products Pegasystems
Pegasystems pega Infinity

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none.
Title Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component.
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Pega Pega Platform
Pegasystems Pega Infinity
cve-icon MITRE

Status: PUBLISHED

Assigner: Pega

Published:

Updated: 2026-03-31T18:33:01.304Z

Reserved: 2025-10-07T19:04:27.221Z

Link: CVE-2025-62184

cve-icon Vulnrichment

Updated: 2026-03-31T18:32:53.575Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T18:16:44.423

Modified: 2026-04-03T12:49:16.167

Link: CVE-2025-62184

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:28Z

Weaknesses