Pega Platform versions 8.1.0 through 25.1.1 contain an HTML injection flaw in a user interface component that does not properly encode or sanitize user‑supplied data. The flaw allows an attacker who holds a high‑privileged developer account to inject arbitrary HTML, including JavaScript, into the platform’s web interface. If the injected content is rendered in a victim’s browser, it can execute in the context of the application, potentially providing ways for the attacker to perform actions such as session hijacking or data theft—these outcomes are typical for XSS but are not explicitly detailed in the advisory.

The vulnerability affects the Pegasystems Pega Infinity product in any instance running a version between 8.1.0 and 25.1.1. Exploitation requires a developer role with high privileges; ordinary users or roles with lower privileges cannot trigger the injection.

The CVSS score of 5.1 indicates medium severity. While no public exploits have been reported and the vulnerability is not listed in the CISA KEV catalog, the requirement for a high‑privileged developer account reduces the chance of exploitation outside of environments where such accounts exist. Once the privilege threshold is met, an attacker could exploit the injected HTML to compromise confidentiality or integrity of the user session. Because an EPSS score is unavailable, the specific exploitation probability cannot be quantified, but the combination of medium CVSS and privileged requirement suggests a moderate overall risk.