Skip to main content

Pega Platform CVE-2025-2160

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-04-14 security@pega.com
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 28, 2026 - 18:36 vuln.today
CVE Published
Apr 14, 2025 - 15:15 nvd
HIGH 8.1

DescriptionCVE.org

Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup

AnalysisAI

Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup Affected products include: Pega Pega Platform.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2019-16387 HIGH POC
8.1 Nov 26

PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_Li

CVE-2017-11356 MEDIUM POC
6.5 Aug 02

The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users

CVE-2017-11355 MEDIUM POC
6.1 Aug 02

Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to injec

CVE-2020-23957 MEDIUM POC
6.1 Dec 15

Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by

CVE-2023-32090 CRITICAL
9.8 Aug 07

Pega platform clients who are using versions 6.1 through 7.3.1 may be utilizing default credentials. Rated critical seve

CVE-2023-28094 CRITICAL
9.8 Jun 22

Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be util

CVE-2020-8774 HIGH
8.8 Apr 29

Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID"

CVE-2019-16388 MEDIUM POC
4.3 Nov 26

PEGA Platform 8.3.0 is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyStream=MyAle

CVE-2019-16386 MEDIUM POC
4.3 Nov 26

PEGA Platform 7.x and 8.x is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyActivi

CVE-2025-2161 HIGH
7.1 Apr 14

Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup. Rated high severity (CVSS 7.1)

CVE-2023-26465 MEDIUM
6.1 Jun 09

Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue. Rated medium severity (CVSS 6.1), this vulnerability i

CVE-2022-35655 MEDIUM
6.1 Aug 22

Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting. Rated mediu

Share

CVE-2025-2160 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy