Description
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.
Published: 2026-04-15
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Update System
AI Analysis

Impact

Pega Platform versions 8.1.0 through 25.1.1 contain a stored cross‑site scripting flaw in a user interface component. An attacker who can acquire a high‑privileged user account with a developer role could inject malicious script that is persisted and executed by other users when the affected UI is rendered. The flaw falls under CWE‑79 and allows the attacker to run arbitrary client‑side code, potentially compromising confidentiality, integrity, or availability of user sessions within the Pega environment.

Affected Systems

The vulnerability affects all Pegasystems Pega Infinity installations built from version 8.1.0 to and including 25.1.1. No specific patch versions are listed in the advisory; users should verify the installed version against the list and consider upgrading if possible.

Risk and Exploitability

The CVSS score of 4.8 indicates a low‑medium severity. Exploitation requires the attacker to possess a high‑privilege developer account, which limits the attack surface but still presents a significant risk if such accounts are compromised or improperly managed. EPSS information is not available and the issue is not listed in the CISA KEV catalog, suggesting that broad, automated exploitation is not currently documented. Nonetheless, the combination of high privilege and persistent XSS warrants monitoring and timely remediation.

Generated by OpenCVE AI on April 16, 2026 at 02:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pega Infinity to a version newer than 25.1.1 or apply any vendor‑supplied patch that removes the vulnerable UI component.
  • If an immediate upgrade is not possible, restrict access to the affected component by limiting developer‑role permissions or disabling the component in the application configuration. Ensure that only trusted, required personnel can create or edit content that may be rendered in the vulnerable UI.
  • Implement proper output encoding or sanitization on any user‑supplied data rendered by the component, following the practices recommended for preventing cross‑site scripting attacks.

Generated by OpenCVE AI on April 16, 2026 at 02:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Pegasystems
Pegasystems pega Infinity
Vendors & Products Pegasystems
Pegasystems pega Infinity

Wed, 15 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.
Title Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Pegasystems Pega Infinity
cve-icon MITRE

Status: PUBLISHED

Assigner: Pega

Published:

Updated: 2026-04-15T21:33:06.928Z

Reserved: 2026-01-30T18:08:28.303Z

Link: CVE-2026-1711

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-15T22:16:51.880

Modified: 2026-04-15T22:16:51.880

Link: CVE-2026-1711

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:30:21Z

Weaknesses