Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none.
AnalysisAI
Stored cross-site scripting (XSS) in Pega Platform versions 8.1.0 through 25.1.0 allows authenticated administrative users with extensive access rights to inject malicious scripts into user interface components, potentially compromising the confidentiality of other users who interact with affected UI elements. The vulnerability requires high-privilege administrative access and user interaction to exploit, resulting in a CVSS 4.8 (low severity) with no integrity or availability impact. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
The vulnerability is a classic stored cross-site scripting (CWE-79) flaw occurring in a Pega Platform user interface component. Pega Infinity is a low-code business process management and customer engagement platform built on Java/enterprise architecture. Stored XSS vulnerabilities in such platforms typically arise when user-supplied input (form fields, configuration parameters, or custom UI elements) is persisted in a backend database and subsequently rendered in the browser without proper output encoding or sanitization. The affected CPE (cpe:2.3:a:pegasystems:pega_infinity:*:*:*:*:*:*:*:*) covers all versions of Pega Infinity, with the specific vulnerable range confirmed as 8.1.0 through 25.1.0. The attack surface is limited to authenticated administrative users, significantly constraining real-world risk in multi-tenant or role-based access control environments.
RemediationAI
Organizations should apply the vendor-released patch from Pega as documented in the official security advisory at https://support.pega.com/support-doc/pega-security-advisory-o25-vulnerability-remediation-note. The advisory provides specific patched version numbers and installation instructions for affected Pega Infinity deployments. As an interim mitigation pending patch deployment, restrict administrative UI component editing privileges to trusted personnel, implement web application firewall (WAF) rules to detect and block script injection patterns in POST/PUT requests to Pega configuration endpoints, and review audit logs for unauthorized modifications to UI components. For defense-in-depth, ensure Content Security Policy (CSP) headers are enforced on all Pega platform deployments to limit XSS payload execution even if stored injection occurs.
More in Pega Infinity
View allAuthorization bypass in Pega Platform versions 8.3.0 through Infinity 25.1.2 allows authenticated users to access additi
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface componen
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interf
Reflected cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged a
Stored cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged deve
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209147