Skip to main content

Pega Platform CVE-2025-8681

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-09-10 security@pega.com
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 28, 2026 - 19:11 vuln.today
CVE Published
Sep 10, 2025 - 16:15 nvd
MEDIUM 5.5

DescriptionCVE.org

Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component.  Requires a high privileged user with a developer role.

AnalysisAI

Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Requires a high privileged user with a developer role. Affected products include: Pega Pega Platform.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2019-16387 HIGH POC
8.1 Nov 26

PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_Li

CVE-2017-11356 MEDIUM POC
6.5 Aug 02

The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users

CVE-2017-11355 MEDIUM POC
6.1 Aug 02

Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to injec

CVE-2020-23957 MEDIUM POC
6.1 Dec 15

Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by

CVE-2023-32090 CRITICAL
9.8 Aug 07

Pega platform clients who are using versions 6.1 through 7.3.1 may be utilizing default credentials. Rated critical seve

CVE-2023-28094 CRITICAL
9.8 Jun 22

Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be util

CVE-2020-8774 HIGH
8.8 Apr 29

Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID"

CVE-2019-16388 MEDIUM POC
4.3 Nov 26

PEGA Platform 8.3.0 is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyStream=MyAle

CVE-2019-16386 MEDIUM POC
4.3 Nov 26

PEGA Platform 7.x and 8.x is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyActivi

CVE-2025-2160 HIGH
8.1 Apr 14

Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup. Rated high severity (CVSS 8.1)

CVE-2025-2161 HIGH
7.1 Apr 14

Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup. Rated high severity (CVSS 7.1)

CVE-2023-26465 MEDIUM
6.1 Jun 09

Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue. Rated medium severity (CVSS 6.1), this vulnerability i

Share

CVE-2025-8681 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy