Vendor CVEs
Pega
All CVEs
49 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-1078 | Hig | 0.47 | — | 0.00 | Apr 7, 2026 | An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The… | ||
| CVE-2017-11356 | Med | 0.46 | 6.5 | 0.04 | Aug 2, 2017 | The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users with certain privileges to obtain sensitive configuration information by leveraging a missing access control. | ||
| CVE-2017-11355 | Med | 0.43 | 6.1 | 0.03 | Aug 2, 2017 | Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to… | ||
| CVE-2026-1079 | Med | 0.39 | — | 0.00 | Apr 7, 2026 | A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could… | ||
| CVE-2025-62182 | Med | 0.34 | — | 0.00 | Jan 13, 2026 | Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file. | ||
| CVE-2025-62181 | Med | 0.34 | 5.3 | 0.00 | Dec 10, 2025 | Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only… | ||
| CVE-2026-1711 | Med | 0.31 | 4.8 | 0.00 | Apr 15, 2026 | Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role. | ||
| CVE-2026-1564 | Med | 0.31 | 4.8 | 0.00 | Apr 15, 2026 | Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role. | ||
| CVE-2025-62183 | Med | 0.31 | — | 0.00 | Feb 17, 2026 | Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low. | ||
| CVE-2025-62184 | Low | 0.22 | 3.4 | 0.00 | Mar 31, 2026 | Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none. | ||
| CVE-2022-24082 | 0.07 | — | 0.09 | Jul 19, 2022 | If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect… | |||
| CVE-2025-62180 | 0.00 | — | 0.00 | Jun 23, 2026 | Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs. | |||
| CVE-2026-0898 | 0.00 | — | 0.00 | Mar 23, 2026 | An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a… | |||
| CVE-2025-9559 | 0.00 | — | 0.00 | Oct 16, 2025 | Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data. | |||
| CVE-2025-8681 | 0.00 | — | 0.00 | Sep 10, 2025 | Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Requires a high privileged user with a developer role. | |||
| CVE-2025-2161 | 0.00 | — | 0.00 | Apr 14, 2025 | Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup | |||
| CVE-2025-2160 | 0.00 | — | 0.00 | Apr 14, 2025 | Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup | |||
| CVE-2024-12211 | 0.00 | — | 0.00 | Jan 13, 2025 | Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile. | |||
| CVE-2024-10716 | 0.00 | — | 0.00 | Dec 5, 2024 | Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search. | |||
| CVE-2024-10094 | 0.00 | — | 0.00 | Nov 20, 2024 | Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code | |||
| CVE-2024-6702 | 0.00 | — | 0.00 | Sep 12, 2024 | Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage. | |||
| CVE-2024-6701 | 0.00 | — | 0.00 | Sep 12, 2024 | Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type. | |||
| CVE-2024-6700 | 0.00 | — | 0.00 | Sep 12, 2024 | Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name. | |||
| CVE-2023-50168 | 0.00 | — | 0.00 | Mar 14, 2024 | Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation. | |||
| CVE-2023-50167 | 0.00 | — | 0.00 | Mar 6, 2024 | Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content. | |||
| CVE-2023-50166 | 0.00 | — | 0.00 | Jan 31, 2024 | Pega Platform from 8.5.4 to 8.8.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter. | |||
| CVE-2023-50165 | 0.00 | — | 0.00 | Jan 31, 2024 | Pega Platform versions 8.2.1 to Infinity 23.1.0 are affected by an Generated PDF issue that could expose file contents. | |||
| CVE-2023-32089 | 0.00 | — | 0.00 | Oct 18, 2023 | Pega Platform versions 8.1 to 8.8.2 are affected by an XSS issue with Pin description | |||
| CVE-2023-32088 | 0.00 | — | 0.00 | Oct 18, 2023 | Pega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS issue with ad-hoc case creation | |||
| CVE-2023-32087 | 0.00 | — | 0.00 | Oct 18, 2023 | Pega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS issue with task creation | |||
| CVE-2023-4843 | 0.00 | — | 0.00 | Sep 8, 2023 | Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user. | |||
| CVE-2023-32090 | 0.00 | — | 0.01 | Aug 7, 2023 | Pega platform clients who are using versions 6.1 through 7.3.1 may be utilizing default credentials | |||
| CVE-2023-28094 | 0.00 | — | 0.01 | Jun 22, 2023 | Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials. | |||
| CVE-2023-26465 | 0.00 | — | 0.00 | Jun 9, 2023 | Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue. | |||
| CVE-2023-31290 | 0.00 | — | 0.01 | Apr 27, 2023 | Trust Wallet Core before 3.1.1, as used in the Trust Wallet browser extension before 0.0.183, allows theft of funds because the entropy is 32 bits, as exploited in the wild in December 2022 and March 2023. This occurs because the mt19937 Mersenne Twister takes a single 32-bit… | |||
| CVE-2022-35656 | 0.00 | — | 0.00 | Aug 22, 2022 | Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly. | |||
| CVE-2022-35655 | 0.00 | — | 0.00 | Aug 22, 2022 | Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting. | |||
| CVE-2022-35654 | 0.00 | — | 0.00 | Aug 22, 2022 | Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter. | |||
| CVE-2020-15390 | 0.00 | — | 0.01 | Apr 12, 2021 | pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo. | |||
| CVE-2021-27653 | 0.00 | — | 0.01 | Apr 1, 2021 | Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure. | |||
| CVE-2020-23957 | 0.00 | — | 0.01 | Dec 15, 2020 | Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by a pyActivity=Data-TRACERSettings.pzStartTracerSession request to a PRAuth URI. | |||
| CVE-2020-24353 | 0.00 | — | 0.01 | Nov 9, 2020 | Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header. | |||
| CVE-2019-16374 | 0.00 | — | 0.02 | Aug 13, 2020 | Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control. | |||
| CVE-2020-8775 | 0.00 | — | 0.01 | Apr 29, 2020 | Pega Platform before version 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the comment tags. | |||
| CVE-2020-8773 | 0.00 | — | 0.01 | Apr 29, 2020 | The Richtext Editor in Pega Platform before 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability. | |||
| CVE-2020-8774 | 0.00 | — | 0.01 | Apr 29, 2020 | Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID" function. | |||
| CVE-2019-16388 | 0.00 | — | 0.01 | Nov 26, 2019 | PEGA Platform 8.3.0 is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyStream=MyAlerts request to get Audit Log information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an… | |||
| CVE-2019-16387 | 0.00 | — | 0.01 | Nov 26, 2019 | PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_ListDatabases request while using a low-privilege account. (This can perform actions and retrieve data that only an administrator should have access to.) NOTE:… | |||
| CVE-2019-16386 | 0.00 | — | 0.01 | Nov 26, 2019 | PEGA Platform 7.x and 8.x is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyActivity=GetWebInfo&target=popup&pzHarnessID=random_harness_id request to get database schema information while using a low-privilege account. NOTE: The vendor… |
- risk 0.47cvss —epss 0.00
An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The…
- risk 0.46cvss 6.5epss 0.04
The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users with certain privileges to obtain sensitive configuration information by leveraging a missing access control.
- risk 0.43cvss 6.1epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to…
- risk 0.39cvss —epss 0.00
A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could…
- risk 0.34cvss —epss 0.00
Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file.
- risk 0.34cvss 5.3epss 0.00
Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only…
- risk 0.31cvss 4.8epss 0.00
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.
- risk 0.31cvss 4.8epss 0.00
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.
- risk 0.31cvss —epss 0.00
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.
- risk 0.22cvss 3.4epss 0.00
Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none.
- CVE-2022-24082Jul 19, 2022risk 0.07cvss —epss 0.09
If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect…
- CVE-2025-62180Jun 23, 2026risk 0.00cvss —epss 0.00
Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.
- CVE-2026-0898Mar 23, 2026risk 0.00cvss —epss 0.00
An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a…
- CVE-2025-9559Oct 16, 2025risk 0.00cvss —epss 0.00
Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.
- CVE-2025-8681Sep 10, 2025risk 0.00cvss —epss 0.00
Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Requires a high privileged user with a developer role.
- CVE-2025-2161Apr 14, 2025risk 0.00cvss —epss 0.00
Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup
- CVE-2025-2160Apr 14, 2025risk 0.00cvss —epss 0.00
Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup
- CVE-2024-12211Jan 13, 2025risk 0.00cvss —epss 0.00
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.
- CVE-2024-10716Dec 5, 2024risk 0.00cvss —epss 0.00
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.
- CVE-2024-10094Nov 20, 2024risk 0.00cvss —epss 0.00
Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code
- CVE-2024-6702Sep 12, 2024risk 0.00cvss —epss 0.00
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.
- CVE-2024-6701Sep 12, 2024risk 0.00cvss —epss 0.00
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.
- CVE-2024-6700Sep 12, 2024risk 0.00cvss —epss 0.00
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name.
- CVE-2023-50168Mar 14, 2024risk 0.00cvss —epss 0.00
Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation.
- CVE-2023-50167Mar 6, 2024risk 0.00cvss —epss 0.00
Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content.
- CVE-2023-50166Jan 31, 2024risk 0.00cvss —epss 0.00
Pega Platform from 8.5.4 to 8.8.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.
- CVE-2023-50165Jan 31, 2024risk 0.00cvss —epss 0.00
Pega Platform versions 8.2.1 to Infinity 23.1.0 are affected by an Generated PDF issue that could expose file contents.
- CVE-2023-32089Oct 18, 2023risk 0.00cvss —epss 0.00
Pega Platform versions 8.1 to 8.8.2 are affected by an XSS issue with Pin description
- CVE-2023-32088Oct 18, 2023risk 0.00cvss —epss 0.00
Pega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS issue with ad-hoc case creation
- CVE-2023-32087Oct 18, 2023risk 0.00cvss —epss 0.00
Pega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS issue with task creation
- CVE-2023-4843Sep 8, 2023risk 0.00cvss —epss 0.00
Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user.
- CVE-2023-32090Aug 7, 2023risk 0.00cvss —epss 0.01
Pega platform clients who are using versions 6.1 through 7.3.1 may be utilizing default credentials
- CVE-2023-28094Jun 22, 2023risk 0.00cvss —epss 0.01
Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials.
- CVE-2023-26465Jun 9, 2023risk 0.00cvss —epss 0.00
Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue.
- CVE-2023-31290Apr 27, 2023risk 0.00cvss —epss 0.01
Trust Wallet Core before 3.1.1, as used in the Trust Wallet browser extension before 0.0.183, allows theft of funds because the entropy is 32 bits, as exploited in the wild in December 2022 and March 2023. This occurs because the mt19937 Mersenne Twister takes a single 32-bit…
- CVE-2022-35656Aug 22, 2022risk 0.00cvss —epss 0.00
Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly.
- CVE-2022-35655Aug 22, 2022risk 0.00cvss —epss 0.00
Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting.
- CVE-2022-35654Aug 22, 2022risk 0.00cvss —epss 0.00
Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.
- CVE-2020-15390Apr 12, 2021risk 0.00cvss —epss 0.01
pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo.
- CVE-2021-27653Apr 1, 2021risk 0.00cvss —epss 0.01
Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure.
- CVE-2020-23957Dec 15, 2020risk 0.00cvss —epss 0.01
Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by a pyActivity=Data-TRACERSettings.pzStartTracerSession request to a PRAuth URI.
- CVE-2020-24353Nov 9, 2020risk 0.00cvss —epss 0.01
Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header.
- CVE-2019-16374Aug 13, 2020risk 0.00cvss —epss 0.02
Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control.
- CVE-2020-8775Apr 29, 2020risk 0.00cvss —epss 0.01
Pega Platform before version 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the comment tags.
- CVE-2020-8773Apr 29, 2020risk 0.00cvss —epss 0.01
The Richtext Editor in Pega Platform before 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability.
- CVE-2020-8774Apr 29, 2020risk 0.00cvss —epss 0.01
Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID" function.
- CVE-2019-16388Nov 26, 2019risk 0.00cvss —epss 0.01
PEGA Platform 8.3.0 is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyStream=MyAlerts request to get Audit Log information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an…
- CVE-2019-16387Nov 26, 2019risk 0.00cvss —epss 0.01
PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_ListDatabases request while using a low-privilege account. (This can perform actions and retrieve data that only an administrator should have access to.) NOTE:…
- CVE-2019-16386Nov 26, 2019risk 0.00cvss —epss 0.01
PEGA Platform 7.x and 8.x is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyActivity=GetWebInfo&target=popup&pzHarnessID=random_harness_id request to get database schema information while using a low-privilege account. NOTE: The vendor…