Pega
Products
4- 44 CVEs
- 3 CVEs
- 1 CVE
- 1 CVE
Recent CVEs
49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-1078 | Hig | 0.47 | — | 0.00 | Apr 7, 2026 | An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The… | ||
| CVE-2017-11356 | Med | 0.46 | 6.5 | 0.04 | Aug 2, 2017 | The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users with certain privileges to obtain sensitive configuration information by leveraging a missing access control. | ||
| CVE-2017-11355 | Med | 0.43 | 6.1 | 0.03 | Aug 2, 2017 | Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to… | ||
| CVE-2026-1079 | Med | 0.39 | — | 0.00 | Apr 7, 2026 | A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could… | ||
| CVE-2025-62182 | Med | 0.34 | — | 0.00 | Jan 13, 2026 | Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file. | ||
| CVE-2025-62181 | Med | 0.34 | 5.3 | 0.00 | Dec 10, 2025 | Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only… | ||
| CVE-2026-1711 | Med | 0.31 | 4.8 | 0.00 | Apr 15, 2026 | Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role. | ||
| CVE-2026-1564 | Med | 0.31 | 4.8 | 0.00 | Apr 15, 2026 | Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role. | ||
| CVE-2025-62183 | Med | 0.31 | — | 0.00 | Feb 17, 2026 | Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low. | ||
| CVE-2025-62184 | Low | 0.22 | 3.4 | 0.00 | Mar 31, 2026 | Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none. | ||
| CVE-2022-24082 | 0.07 | — | 0.09 | Jul 19, 2022 | If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect… | |||
| CVE-2025-62180 | 0.00 | — | 0.00 | Jun 23, 2026 | Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs. | |||
| CVE-2026-0898 | 0.00 | — | 0.00 | Mar 23, 2026 | An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a… | |||
| CVE-2025-9559 | 0.00 | — | 0.00 | Oct 16, 2025 | Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data. | |||
| CVE-2025-8681 | 0.00 | — | 0.00 | Sep 10, 2025 | Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Requires a high privileged user with a developer role. | |||
| CVE-2025-2161 | 0.00 | — | 0.00 | Apr 14, 2025 | Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup | |||
| CVE-2025-2160 | 0.00 | — | 0.00 | Apr 14, 2025 | Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup | |||
| CVE-2024-12211 | 0.00 | — | 0.00 | Jan 13, 2025 | Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile. | |||
| CVE-2024-10716 | 0.00 | — | 0.00 | Dec 5, 2024 | Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search. | |||
| CVE-2024-10094 | 0.00 | — | 0.00 | Nov 20, 2024 | Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code |
- risk 0.47cvss —epss 0.00
An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The…
- risk 0.46cvss 6.5epss 0.04
The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users with certain privileges to obtain sensitive configuration information by leveraging a missing access control.
- risk 0.43cvss 6.1epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to…
- risk 0.39cvss —epss 0.00
A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could…
- risk 0.34cvss —epss 0.00
Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file.
- risk 0.34cvss 5.3epss 0.00
Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only…
- risk 0.31cvss 4.8epss 0.00
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.
- risk 0.31cvss 4.8epss 0.00
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.
- risk 0.31cvss —epss 0.00
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.
- risk 0.22cvss 3.4epss 0.00
Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none.
- CVE-2022-24082Jul 19, 2022risk 0.07cvss —epss 0.09
If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect…
- CVE-2025-62180Jun 23, 2026risk 0.00cvss —epss 0.00
Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.
- CVE-2026-0898Mar 23, 2026risk 0.00cvss —epss 0.00
An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a…
- CVE-2025-9559Oct 16, 2025risk 0.00cvss —epss 0.00
Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.
- CVE-2025-8681Sep 10, 2025risk 0.00cvss —epss 0.00
Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Requires a high privileged user with a developer role.
- CVE-2025-2161Apr 14, 2025risk 0.00cvss —epss 0.00
Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup
- CVE-2025-2160Apr 14, 2025risk 0.00cvss —epss 0.00
Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup
- CVE-2024-12211Jan 13, 2025risk 0.00cvss —epss 0.00
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.
- CVE-2024-10716Dec 5, 2024risk 0.00cvss —epss 0.00
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.
- CVE-2024-10094Nov 20, 2024risk 0.00cvss —epss 0.00
Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code