Pega Platform
by Pega
CVEs (44)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-11356 | Med | 0.46 | 6.5 | 0.04 | Aug 2, 2017 | The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users with certain privileges to obtain sensitive configuration information by leveraging a missing access control. | ||
| CVE-2017-11355 | Med | 0.43 | 6.1 | 0.03 | Aug 2, 2017 | Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to… | ||
| CVE-2025-62181 | Med | 0.34 | 5.3 | 0.00 | Dec 10, 2025 | Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only… | ||
| CVE-2026-1711 | Med | 0.31 | 4.8 | 0.00 | Apr 15, 2026 | Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role. | ||
| CVE-2026-1564 | Med | 0.31 | 4.8 | 0.00 | Apr 15, 2026 | Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role. | ||
| CVE-2025-62183 | Med | 0.31 | — | 0.00 | Feb 17, 2026 | Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low. | ||
| CVE-2025-62184 | Low | 0.22 | 3.4 | 0.00 | Mar 31, 2026 | Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none. | ||
| CVE-2022-24082 | 0.07 | — | 0.09 | Jul 19, 2022 | If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect… | |||
| CVE-2025-62180 | 0.00 | — | 0.00 | Jun 23, 2026 | Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs. | |||
| CVE-2025-9559 | 0.00 | — | 0.00 | Oct 16, 2025 | Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data. | |||
| CVE-2025-8681 | 0.00 | — | 0.00 | Sep 10, 2025 | Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Requires a high privileged user with a developer role. | |||
| CVE-2025-2161 | 0.00 | — | 0.00 | Apr 14, 2025 | Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup | |||
| CVE-2025-2160 | 0.00 | — | 0.00 | Apr 14, 2025 | Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup | |||
| CVE-2024-12211 | 0.00 | — | 0.00 | Jan 13, 2025 | Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile. | |||
| CVE-2024-10716 | 0.00 | — | 0.00 | Dec 5, 2024 | Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search. | |||
| CVE-2024-10094 | 0.00 | — | 0.00 | Nov 20, 2024 | Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code | |||
| CVE-2024-6702 | 0.00 | — | 0.00 | Sep 12, 2024 | Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage. | |||
| CVE-2024-6701 | 0.00 | — | 0.00 | Sep 12, 2024 | Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type. | |||
| CVE-2024-6700 | 0.00 | — | 0.00 | Sep 12, 2024 | Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name. | |||
| CVE-2023-50168 | 0.00 | — | 0.00 | Mar 14, 2024 | Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation. |
- risk 0.46cvss 6.5epss 0.04
The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users with certain privileges to obtain sensitive configuration information by leveraging a missing access control.
- risk 0.43cvss 6.1epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to…
- risk 0.34cvss 5.3epss 0.00
Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only…
- risk 0.31cvss 4.8epss 0.00
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.
- risk 0.31cvss 4.8epss 0.00
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.
- risk 0.31cvss —epss 0.00
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.
- risk 0.22cvss 3.4epss 0.00
Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none.
- CVE-2022-24082Jul 19, 2022risk 0.07cvss —epss 0.09
If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect…
- CVE-2025-62180Jun 23, 2026risk 0.00cvss —epss 0.00
Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.
- CVE-2025-9559Oct 16, 2025risk 0.00cvss —epss 0.00
Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.
- CVE-2025-8681Sep 10, 2025risk 0.00cvss —epss 0.00
Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Requires a high privileged user with a developer role.
- CVE-2025-2161Apr 14, 2025risk 0.00cvss —epss 0.00
Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup
- CVE-2025-2160Apr 14, 2025risk 0.00cvss —epss 0.00
Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup
- CVE-2024-12211Jan 13, 2025risk 0.00cvss —epss 0.00
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.
- CVE-2024-10716Dec 5, 2024risk 0.00cvss —epss 0.00
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.
- CVE-2024-10094Nov 20, 2024risk 0.00cvss —epss 0.00
Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code
- CVE-2024-6702Sep 12, 2024risk 0.00cvss —epss 0.00
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.
- CVE-2024-6701Sep 12, 2024risk 0.00cvss —epss 0.00
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.
- CVE-2024-6700Sep 12, 2024risk 0.00cvss —epss 0.00
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name.
- CVE-2023-50168Mar 14, 2024risk 0.00cvss —epss 0.00
Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation.
Page 1 of 3