Search

Find a vulnerability

Search criteria

    50 vulnerabilities found for Pega Infinity by Pegasystems

    CVE-2025-62180 (GCVE-0-2025-62180)

    Vulnerability from nvd – Published: 2026-06-23 14:48 – Updated: 2026-06-23 17:03
    VLAI
    Title
    Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.
    Summary
    Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.3.0 , < Infinity 25.1.3 (custom)
    Create a notification for this product.
    Date Public
    2026-06-22 15:00
    Credits
    Mohammed F. Alaskar from Saudi Awwal Bank Cybersecurity Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62180",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T16:31:00.662432Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T17:03:35.508Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "Infinity 25.1.3",
                  "status": "affected",
                  "version": "8.3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mohammed F. Alaskar from Saudi Awwal Bank Cybersecurity Team"
            }
          ],
          "datePublic": "2026-06-22T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-23T14:48:36.267Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-i25-vulnerability-remediation-note"
            },
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-h26-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2025-62180",
        "datePublished": "2026-06-23T14:48:36.267Z",
        "dateReserved": "2025-10-07T19:04:27.220Z",
        "dateUpdated": "2026-06-23T17:03:35.508Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1711 (GCVE-0-2026-1711)

    Vulnerability from nvd – Published: 2026-04-15 21:32 – Updated: 2026-04-16 14:17
    VLAI
    Title
    Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.
    Summary
    Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1.0 , < Infinity 25.1.2 (custom)
    Create a notification for this product.
    Date Public
    2026-04-15 22:00
    Credits
    Amjad Nayef Qabaha from Integrated Telecom Solutions (INOVAR)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1711",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-16T14:17:16.269793Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T14:17:53.761Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "Infinity 25.1.2",
                  "status": "affected",
                  "version": "8.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amjad Nayef Qabaha from Integrated Telecom Solutions (INOVAR)"
            }
          ],
          "datePublic": "2026-04-15T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592: Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-15T21:33:06.928Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-d26-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2026-1711",
        "datePublished": "2026-04-15T21:32:51.821Z",
        "dateReserved": "2026-01-30T18:08:28.303Z",
        "dateUpdated": "2026-04-16T14:17:53.761Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1564 (GCVE-0-2026-1564)

    Vulnerability from nvd – Published: 2026-04-15 21:31 – Updated: 2026-04-16 14:16
    VLAI
    Title
    Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.
    Summary
    Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-80 - Improper Neutralization of Script Related HTML Tags in a Web Page
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1.0 , < Infinity 25.1.2 (custom)
    Create a notification for this product.
    Date Public
    2026-04-15 22:00
    Credits
    Michal Skowron from ING Hubs Poland
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1564",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-16T14:16:39.665831Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T14:16:54.925Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "Infinity 25.1.2",
                  "status": "affected",
                  "version": "8.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Michal Skowron from ING Hubs Poland"
            }
          ],
          "datePublic": "2026-04-15T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-18",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-18: XSS Targeting Non-Script Elements"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script Related HTML Tags in a Web Page",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-15T21:31:19.982Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-b26-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2026-1564",
        "datePublished": "2026-04-15T21:31:19.982Z",
        "dateReserved": "2026-01-28T19:59:26.073Z",
        "dateUpdated": "2026-04-16T14:16:54.925Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-62184 (GCVE-0-2025-62184)

    Vulnerability from nvd – Published: 2026-03-31 17:52 – Updated: 2026-03-31 18:33
    VLAI
    Title
    Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component.
    Summary
    Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1.0 , < Infinity 25.1.0 (custom)
    Create a notification for this product.
    Date Public
    2026-03-31 19:00
    Credits
    Amjad Nayef Qabaha from Integrated Telecom Solutions (INOVAR)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62184",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-31T18:32:48.299631Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-31T18:33:01.304Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "Infinity 25.1.0",
                  "status": "affected",
                  "version": "8.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amjad Nayef Qabaha from Integrated Telecom Solutions (INOVAR)"
            }
          ],
          "datePublic": "2026-03-31T19:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component.  Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component.  Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-31T17:52:07.404Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-o25-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2025-62184",
        "datePublished": "2026-03-31T17:52:07.404Z",
        "dateReserved": "2025-10-07T19:04:27.221Z",
        "dateUpdated": "2026-03-31T18:33:01.304Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-62183 (GCVE-0-2025-62183)

    Vulnerability from nvd – Published: 2026-02-17 22:53 – Updated: 2026-02-18 20:45
    VLAI
    Title
    Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.
    Summary
    Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1.0 , < Infinity 25.1.1 (custom)
    Create a notification for this product.
    Date Public
    2026-02-17 22:30
    Credits
    Jordan Lyons from AFLAC
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62183",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-18T20:44:57.123621Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-18T20:45:05.908Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "Infinity 25.1.1",
                  "status": "affected",
                  "version": "8.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jordan Lyons from AFLAC"
            }
          ],
          "datePublic": "2026-02-17T22:30:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component.  Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component.  Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-17T22:53:22.638Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-n25-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2025-62183",
        "datePublished": "2026-02-17T22:53:22.638Z",
        "dateReserved": "2025-10-07T19:04:27.220Z",
        "dateUpdated": "2026-02-18T20:45:05.908Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-62182 (GCVE-0-2025-62182)

    Vulnerability from nvd – Published: 2026-01-13 16:37 – Updated: 2026-06-03 19:46
    VLAI
    Title
    Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file.
    Summary
    Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.7.0 , < Infinity 25.1.1 (custom)
    Create a notification for this product.
    Date Public
    2026-01-13 16:30
    Credits
    Daniel Dorego from AFLAC
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62182",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-13T21:42:03.492975Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-13T21:42:10.152Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "Infinity 25.1.1",
                  "status": "affected",
                  "version": "8.7.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Daniel Dorego from AFLAC"
            }
          ],
          "datePublic": "2026-01-13T16:30:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-03T19:46:43.439Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-l25-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2025-62182",
        "datePublished": "2026-01-13T16:37:06.709Z",
        "dateReserved": "2025-10-07T19:04:27.220Z",
        "dateUpdated": "2026-06-03T19:46:43.439Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-62181 (GCVE-0-2025-62181)

    Vulnerability from nvd – Published: 2025-12-10 20:41 – Updated: 2025-12-11 15:32
    VLAI
    Title
    Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration where during user authentication process, a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.
    Summary
    Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-204 - Observable Response Discrepancy
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 7.1.0 , < Infinity 25.1.1 (custom)
    Create a notification for this product.
    Date Public
    2025-12-10 15:00
    Credits
    Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) Louis Sohier of ENGIE IT Offensive Cybersecurity Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62181",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-11T15:25:30.998804Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-11T15:32:31.153Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "Infinity 25.1.1",
                  "status": "affected",
                  "version": "7.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Louis Sohier of ENGIE IT Offensive Cybersecurity Team"
            }
          ],
          "datePublic": "2025-12-10T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration.  This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.  This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended.  A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases.  Please note:  Basic credentials authentication service type is deprecated started in 24.2 version:  https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration.  This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.  This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended.  A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases.  Please note:  Basic credentials authentication service type is deprecated started in 24.2 version:  https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-70",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-70 Try Common or Default Usernames and Passwords"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-204",
                  "description": "CWE-204: Observable Response Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-10T20:41:08.517Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-j25-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration where during user authentication process, a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2025-62181",
        "datePublished": "2025-12-10T20:41:08.517Z",
        "dateReserved": "2025-10-07T19:04:27.220Z",
        "dateUpdated": "2025-12-11T15:32:31.153Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-9559 (GCVE-0-2025-9559)

    Vulnerability from nvd – Published: 2025-10-16 15:28 – Updated: 2025-10-16 18:13
    VLAI
    Title
    Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data
    Summary
    Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.7.5 , < Infinity 24.2.3 (custom)
    Create a notification for this product.
    Date Public
    2025-10-16 15:00
    Credits
    Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9559",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-16T18:13:10.483009Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-16T18:13:47.670Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "Infinity 24.2.3",
                  "status": "affected",
                  "version": "8.7.5",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)"
            }
          ],
          "datePublic": "2025-10-16T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-16T15:28:18.504Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-h25-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2025-9559",
        "datePublished": "2025-10-16T15:28:18.504Z",
        "dateReserved": "2025-08-27T20:01:46.786Z",
        "dateUpdated": "2025-10-16T18:13:47.670Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-8681 (GCVE-0-2025-8681)

    Vulnerability from nvd – Published: 2025-09-10 16:00 – Updated: 2025-09-11 14:42
    VLAI
    Title
    Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component
    Summary
    Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component.  Requires a high privileged user with a developer role.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 7.1.0 , < Infinity 24.2.3 (custom)
    Create a notification for this product.
    Date Public
    2025-09-10 15:00
    Credits
    Louis Sohier of ENGIE IT Offensive Cybersecurity Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-8681",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-11T14:27:19.118508Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-11T14:42:58.353Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "Infinity 24.2.3",
                  "status": "affected",
                  "version": "7.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Louis Sohier of ENGIE IT Offensive Cybersecurity Team"
            }
          ],
          "datePublic": "2025-09-10T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. \u0026nbsp;Requires a high privileged user with a developer role.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. \u00a0Requires a high privileged user with a developer role."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-10T16:00:15.062Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-g25-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2025-8681",
        "datePublished": "2025-09-10T16:00:15.062Z",
        "dateReserved": "2025-08-06T19:51:28.073Z",
        "dateUpdated": "2025-09-11T14:42:58.353Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-2161 (GCVE-0-2025-2161)

    Vulnerability from nvd – Published: 2025-04-14 14:19 – Updated: 2025-04-14 14:32
    VLAI
    Summary
    Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 7.2.1 , < 24.2.2 (custom)
    Create a notification for this product.
    Credits
    Kacper Paluch Maciej Włodarczyk
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2161",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-14T14:32:26.201504Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-14T14:32:37.786Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.2.2",
                  "status": "affected",
                  "version": "7.2.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Kacper Paluch"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Maciej W\u0142odarczyk"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-14T14:19:37.824Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-d25-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2025-2161",
        "datePublished": "2025-04-14T14:19:37.824Z",
        "dateReserved": "2025-03-10T13:29:54.031Z",
        "dateUpdated": "2025-04-14T14:32:37.786Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-2160 (GCVE-0-2025-2160)

    Vulnerability from nvd – Published: 2025-04-14 14:16 – Updated: 2025-04-14 14:32
    VLAI
    Summary
    Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.4.3 , < 24.2.2 (custom)
    Create a notification for this product.
    Credits
    Kacper Paluch Maciej Włodarczyk
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2160",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-14T14:31:54.490718Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-14T14:32:12.589Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.2.2",
                  "status": "affected",
                  "version": "8.4.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Kacper Paluch"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Maciej W\u0142odarczyk"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-14T14:16:34.517Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-d25-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2025-2160",
        "datePublished": "2025-04-14T14:16:34.517Z",
        "dateReserved": "2025-03-10T13:29:52.653Z",
        "dateUpdated": "2025-04-14T14:32:12.589Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-12211 (GCVE-0-2024-12211)

    Vulnerability from nvd – Published: 2025-01-13 16:14 – Updated: 2025-08-26 19:58
    VLAI
    Summary
    Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1 , < 24.2.1 (custom)
    Create a notification for this product.
    Credits
    Jordan Lyons
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12211",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-13T17:23:40.336491Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-26T19:58:08.100Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.2.1",
                  "status": "affected",
                  "version": "8.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Jordan Lyons"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-13T16:14:59.224Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-f24-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2024-12211",
        "datePublished": "2025-01-13T16:14:59.224Z",
        "dateReserved": "2024-12-04T20:50:58.613Z",
        "dateUpdated": "2025-08-26T19:58:08.100Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-10716 (GCVE-0-2024-10716)

    Vulnerability from nvd – Published: 2024-12-05 15:28 – Updated: 2024-12-05 16:30
    VLAI
    Summary
    Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1 , < 24.2.1 (custom)
    Create a notification for this product.
    Credits
    Konrad Zbylut
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10716",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-05T16:30:51.236868Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-05T16:30:58.223Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.2.1",
                  "status": "affected",
                  "version": "8.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Konrad Zbylut"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-05T15:45:17.602Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-e24-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2024-10716",
        "datePublished": "2024-12-05T15:28:29.644Z",
        "dateReserved": "2024-11-01T22:15:22.698Z",
        "dateUpdated": "2024-12-05T16:30:58.223Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-10094 (GCVE-0-2024-10094)

    Vulnerability from nvd – Published: 2024-11-20 14:45 – Updated: 2024-11-20 15:39
    VLAI
    Summary
    Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 6.1 , < 24.1.2 (custom)
    Create a notification for this product.
    pegasystems pega_infinity Affected: 6.1 , < 24.1.2 (custom)
        cpe:2.3:a:pegasystems:pega_infinity:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Daniel Wiseman from Commonwealth Bank of Australia
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:pegasystems:pega_infinity:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "pega_infinity",
                "vendor": "pegasystems",
                "versions": [
                  {
                    "lessThan": "24.1.2",
                    "status": "affected",
                    "version": "6.1",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10094",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-20T15:37:50.121588Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-20T15:39:07.542Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.1.2",
                  "status": "affected",
                  "version": "6.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Daniel Wiseman from Commonwealth Bank of Australia"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-20T14:45:22.464Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-d24-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2024-10094",
        "datePublished": "2024-11-20T14:45:22.464Z",
        "dateReserved": "2024-10-17T16:14:24.687Z",
        "dateUpdated": "2024-11-20T15:39:07.542Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6702 (GCVE-0-2024-6702)

    Vulnerability from nvd – Published: 2024-09-12 14:25 – Updated: 2024-09-12 15:04
    VLAI
    Summary
    Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1 , < 24.1.3 (custom)
    Create a notification for this product.
    Credits
    Andrea Solenne Christian Romano Lapo Mezzani
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6702",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-12T15:04:40.842270Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-12T15:04:50.576Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.1.3",
                  "status": "affected",
                  "version": "8.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Andrea Solenne"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Christian Romano"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Lapo Mezzani"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-12T14:29:06.562Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2024-6702",
        "datePublished": "2024-09-12T14:25:44.692Z",
        "dateReserved": "2024-07-11T18:55:54.085Z",
        "dateUpdated": "2024-09-12T15:04:50.576Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6701 (GCVE-0-2024-6701)

    Vulnerability from nvd – Published: 2024-09-12 14:25 – Updated: 2024-09-12 15:05
    VLAI
    Summary
    Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1 , < 24.1.3 (custom)
    Create a notification for this product.
    Credits
    Andrea Solenne Christian Romano Lapo Mezzani
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6701",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-12T15:05:41.616361Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-12T15:05:49.076Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.1.3",
                  "status": "affected",
                  "version": "8.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Andrea Solenne"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Christian Romano"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Lapo Mezzani"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-12T14:25:28.473Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2024-6701",
        "datePublished": "2024-09-12T14:25:28.473Z",
        "dateReserved": "2024-07-11T18:55:52.822Z",
        "dateUpdated": "2024-09-12T15:05:49.076Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-62180 (GCVE-0-2025-62180)

    Vulnerability from cvelistv5 – Published: 2026-06-23 14:48 – Updated: 2026-06-23 17:03
    VLAI
    Title
    Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.
    Summary
    Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.3.0 , < Infinity 25.1.3 (custom)
    Create a notification for this product.
    Date Public
    2026-06-22 15:00
    Credits
    Mohammed F. Alaskar from Saudi Awwal Bank Cybersecurity Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62180",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T16:31:00.662432Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T17:03:35.508Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "Infinity 25.1.3",
                  "status": "affected",
                  "version": "8.3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mohammed F. Alaskar from Saudi Awwal Bank Cybersecurity Team"
            }
          ],
          "datePublic": "2026-06-22T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-23T14:48:36.267Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-i25-vulnerability-remediation-note"
            },
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-h26-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2025-62180",
        "datePublished": "2026-06-23T14:48:36.267Z",
        "dateReserved": "2025-10-07T19:04:27.220Z",
        "dateUpdated": "2026-06-23T17:03:35.508Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1711 (GCVE-0-2026-1711)

    Vulnerability from cvelistv5 – Published: 2026-04-15 21:32 – Updated: 2026-04-16 14:17
    VLAI
    Title
    Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.
    Summary
    Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1.0 , < Infinity 25.1.2 (custom)
    Create a notification for this product.
    Date Public
    2026-04-15 22:00
    Credits
    Amjad Nayef Qabaha from Integrated Telecom Solutions (INOVAR)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1711",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-16T14:17:16.269793Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T14:17:53.761Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "Infinity 25.1.2",
                  "status": "affected",
                  "version": "8.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amjad Nayef Qabaha from Integrated Telecom Solutions (INOVAR)"
            }
          ],
          "datePublic": "2026-04-15T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592: Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-15T21:33:06.928Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-d26-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2026-1711",
        "datePublished": "2026-04-15T21:32:51.821Z",
        "dateReserved": "2026-01-30T18:08:28.303Z",
        "dateUpdated": "2026-04-16T14:17:53.761Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1564 (GCVE-0-2026-1564)

    Vulnerability from cvelistv5 – Published: 2026-04-15 21:31 – Updated: 2026-04-16 14:16
    VLAI
    Title
    Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.
    Summary
    Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-80 - Improper Neutralization of Script Related HTML Tags in a Web Page
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1.0 , < Infinity 25.1.2 (custom)
    Create a notification for this product.
    Date Public
    2026-04-15 22:00
    Credits
    Michal Skowron from ING Hubs Poland
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1564",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-16T14:16:39.665831Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T14:16:54.925Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "Infinity 25.1.2",
                  "status": "affected",
                  "version": "8.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Michal Skowron from ING Hubs Poland"
            }
          ],
          "datePublic": "2026-04-15T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-18",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-18: XSS Targeting Non-Script Elements"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script Related HTML Tags in a Web Page",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-15T21:31:19.982Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-b26-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2026-1564",
        "datePublished": "2026-04-15T21:31:19.982Z",
        "dateReserved": "2026-01-28T19:59:26.073Z",
        "dateUpdated": "2026-04-16T14:16:54.925Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-62184 (GCVE-0-2025-62184)

    Vulnerability from cvelistv5 – Published: 2026-03-31 17:52 – Updated: 2026-03-31 18:33
    VLAI
    Title
    Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component.
    Summary
    Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1.0 , < Infinity 25.1.0 (custom)
    Create a notification for this product.
    Date Public
    2026-03-31 19:00
    Credits
    Amjad Nayef Qabaha from Integrated Telecom Solutions (INOVAR)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62184",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-31T18:32:48.299631Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-31T18:33:01.304Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "Infinity 25.1.0",
                  "status": "affected",
                  "version": "8.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amjad Nayef Qabaha from Integrated Telecom Solutions (INOVAR)"
            }
          ],
          "datePublic": "2026-03-31T19:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component.  Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component.  Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-31T17:52:07.404Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-o25-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2025-62184",
        "datePublished": "2026-03-31T17:52:07.404Z",
        "dateReserved": "2025-10-07T19:04:27.221Z",
        "dateUpdated": "2026-03-31T18:33:01.304Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-62183 (GCVE-0-2025-62183)

    Vulnerability from cvelistv5 – Published: 2026-02-17 22:53 – Updated: 2026-02-18 20:45
    VLAI
    Title
    Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.
    Summary
    Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1.0 , < Infinity 25.1.1 (custom)
    Create a notification for this product.
    Date Public
    2026-02-17 22:30
    Credits
    Jordan Lyons from AFLAC
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62183",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-18T20:44:57.123621Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-18T20:45:05.908Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "Infinity 25.1.1",
                  "status": "affected",
                  "version": "8.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jordan Lyons from AFLAC"
            }
          ],
          "datePublic": "2026-02-17T22:30:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component.  Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component.  Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-17T22:53:22.638Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-n25-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2025-62183",
        "datePublished": "2026-02-17T22:53:22.638Z",
        "dateReserved": "2025-10-07T19:04:27.220Z",
        "dateUpdated": "2026-02-18T20:45:05.908Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-62182 (GCVE-0-2025-62182)

    Vulnerability from cvelistv5 – Published: 2026-01-13 16:37 – Updated: 2026-06-03 19:46
    VLAI
    Title
    Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file.
    Summary
    Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.7.0 , < Infinity 25.1.1 (custom)
    Create a notification for this product.
    Date Public
    2026-01-13 16:30
    Credits
    Daniel Dorego from AFLAC
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62182",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-13T21:42:03.492975Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-13T21:42:10.152Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "Infinity 25.1.1",
                  "status": "affected",
                  "version": "8.7.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Daniel Dorego from AFLAC"
            }
          ],
          "datePublic": "2026-01-13T16:30:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-03T19:46:43.439Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-l25-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2025-62182",
        "datePublished": "2026-01-13T16:37:06.709Z",
        "dateReserved": "2025-10-07T19:04:27.220Z",
        "dateUpdated": "2026-06-03T19:46:43.439Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-62181 (GCVE-0-2025-62181)

    Vulnerability from cvelistv5 – Published: 2025-12-10 20:41 – Updated: 2025-12-11 15:32
    VLAI
    Title
    Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration where during user authentication process, a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.
    Summary
    Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-204 - Observable Response Discrepancy
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 7.1.0 , < Infinity 25.1.1 (custom)
    Create a notification for this product.
    Date Public
    2025-12-10 15:00
    Credits
    Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) Louis Sohier of ENGIE IT Offensive Cybersecurity Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62181",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-11T15:25:30.998804Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-11T15:32:31.153Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "Infinity 25.1.1",
                  "status": "affected",
                  "version": "7.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Louis Sohier of ENGIE IT Offensive Cybersecurity Team"
            }
          ],
          "datePublic": "2025-12-10T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration.  This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.  This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended.  A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases.  Please note:  Basic credentials authentication service type is deprecated started in 24.2 version:  https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration.  This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.  This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended.  A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases.  Please note:  Basic credentials authentication service type is deprecated started in 24.2 version:  https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-70",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-70 Try Common or Default Usernames and Passwords"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-204",
                  "description": "CWE-204: Observable Response Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-10T20:41:08.517Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-j25-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration where during user authentication process, a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2025-62181",
        "datePublished": "2025-12-10T20:41:08.517Z",
        "dateReserved": "2025-10-07T19:04:27.220Z",
        "dateUpdated": "2025-12-11T15:32:31.153Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-9559 (GCVE-0-2025-9559)

    Vulnerability from cvelistv5 – Published: 2025-10-16 15:28 – Updated: 2025-10-16 18:13
    VLAI
    Title
    Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data
    Summary
    Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.7.5 , < Infinity 24.2.3 (custom)
    Create a notification for this product.
    Date Public
    2025-10-16 15:00
    Credits
    Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9559",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-16T18:13:10.483009Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-16T18:13:47.670Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "Infinity 24.2.3",
                  "status": "affected",
                  "version": "8.7.5",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)"
            }
          ],
          "datePublic": "2025-10-16T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-16T15:28:18.504Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-h25-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2025-9559",
        "datePublished": "2025-10-16T15:28:18.504Z",
        "dateReserved": "2025-08-27T20:01:46.786Z",
        "dateUpdated": "2025-10-16T18:13:47.670Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-8681 (GCVE-0-2025-8681)

    Vulnerability from cvelistv5 – Published: 2025-09-10 16:00 – Updated: 2025-09-11 14:42
    VLAI
    Title
    Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component
    Summary
    Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component.  Requires a high privileged user with a developer role.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 7.1.0 , < Infinity 24.2.3 (custom)
    Create a notification for this product.
    Date Public
    2025-09-10 15:00
    Credits
    Louis Sohier of ENGIE IT Offensive Cybersecurity Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-8681",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-11T14:27:19.118508Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-11T14:42:58.353Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "Infinity 24.2.3",
                  "status": "affected",
                  "version": "7.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Louis Sohier of ENGIE IT Offensive Cybersecurity Team"
            }
          ],
          "datePublic": "2025-09-10T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. \u0026nbsp;Requires a high privileged user with a developer role.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. \u00a0Requires a high privileged user with a developer role."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-10T16:00:15.062Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-g25-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2025-8681",
        "datePublished": "2025-09-10T16:00:15.062Z",
        "dateReserved": "2025-08-06T19:51:28.073Z",
        "dateUpdated": "2025-09-11T14:42:58.353Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-2161 (GCVE-0-2025-2161)

    Vulnerability from cvelistv5 – Published: 2025-04-14 14:19 – Updated: 2025-04-14 14:32
    VLAI
    Summary
    Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 7.2.1 , < 24.2.2 (custom)
    Create a notification for this product.
    Credits
    Kacper Paluch Maciej Włodarczyk
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2161",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-14T14:32:26.201504Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-14T14:32:37.786Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.2.2",
                  "status": "affected",
                  "version": "7.2.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Kacper Paluch"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Maciej W\u0142odarczyk"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-14T14:19:37.824Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-d25-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2025-2161",
        "datePublished": "2025-04-14T14:19:37.824Z",
        "dateReserved": "2025-03-10T13:29:54.031Z",
        "dateUpdated": "2025-04-14T14:32:37.786Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-2160 (GCVE-0-2025-2160)

    Vulnerability from cvelistv5 – Published: 2025-04-14 14:16 – Updated: 2025-04-14 14:32
    VLAI
    Summary
    Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.4.3 , < 24.2.2 (custom)
    Create a notification for this product.
    Credits
    Kacper Paluch Maciej Włodarczyk
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2160",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-14T14:31:54.490718Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-14T14:32:12.589Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.2.2",
                  "status": "affected",
                  "version": "8.4.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Kacper Paluch"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Maciej W\u0142odarczyk"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-14T14:16:34.517Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-d25-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2025-2160",
        "datePublished": "2025-04-14T14:16:34.517Z",
        "dateReserved": "2025-03-10T13:29:52.653Z",
        "dateUpdated": "2025-04-14T14:32:12.589Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-12211 (GCVE-0-2024-12211)

    Vulnerability from cvelistv5 – Published: 2025-01-13 16:14 – Updated: 2025-08-26 19:58
    VLAI
    Summary
    Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1 , < 24.2.1 (custom)
    Create a notification for this product.
    Credits
    Jordan Lyons
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12211",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-13T17:23:40.336491Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-26T19:58:08.100Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.2.1",
                  "status": "affected",
                  "version": "8.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Jordan Lyons"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-13T16:14:59.224Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-f24-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2024-12211",
        "datePublished": "2025-01-13T16:14:59.224Z",
        "dateReserved": "2024-12-04T20:50:58.613Z",
        "dateUpdated": "2025-08-26T19:58:08.100Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-10716 (GCVE-0-2024-10716)

    Vulnerability from cvelistv5 – Published: 2024-12-05 15:28 – Updated: 2024-12-05 16:30
    VLAI
    Summary
    Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1 , < 24.2.1 (custom)
    Create a notification for this product.
    Credits
    Konrad Zbylut
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10716",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-05T16:30:51.236868Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-05T16:30:58.223Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.2.1",
                  "status": "affected",
                  "version": "8.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Konrad Zbylut"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-05T15:45:17.602Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-e24-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2024-10716",
        "datePublished": "2024-12-05T15:28:29.644Z",
        "dateReserved": "2024-11-01T22:15:22.698Z",
        "dateUpdated": "2024-12-05T16:30:58.223Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-10094 (GCVE-0-2024-10094)

    Vulnerability from cvelistv5 – Published: 2024-11-20 14:45 – Updated: 2024-11-20 15:39
    VLAI
    Summary
    Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 6.1 , < 24.1.2 (custom)
    Create a notification for this product.
    pegasystems pega_infinity Affected: 6.1 , < 24.1.2 (custom)
        cpe:2.3:a:pegasystems:pega_infinity:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Daniel Wiseman from Commonwealth Bank of Australia
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:pegasystems:pega_infinity:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "pega_infinity",
                "vendor": "pegasystems",
                "versions": [
                  {
                    "lessThan": "24.1.2",
                    "status": "affected",
                    "version": "6.1",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10094",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-20T15:37:50.121588Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-20T15:39:07.542Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.1.2",
                  "status": "affected",
                  "version": "6.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Daniel Wiseman from Commonwealth Bank of Australia"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-20T14:45:22.464Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-d24-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2024-10094",
        "datePublished": "2024-11-20T14:45:22.464Z",
        "dateReserved": "2024-10-17T16:14:24.687Z",
        "dateUpdated": "2024-11-20T15:39:07.542Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }