Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could occur if a user navigates to this website. The malicious website could then present an unexpected message box.
AnalysisAI
Remote code execution via malicious websites targeting Pega Browser Extension (PBE) allows unauthenticated attackers to trigger unexpected message boxes and cause availability impact on affected systems. All versions of Pega Browser Extension prior to 3.1.45 are vulnerable; the attack requires user interaction (navigation to a malicious website) but no special privileges. CVSS 6.0 score reflects the moderate severity with high availability impact potential. No active exploitation or public exploit code has been identified at the time of analysis.
Technical ContextAI
The vulnerability resides in the native messaging host mechanism of Pega Browser Extension, a browser-based automation tool used within Pega Robotic Automation environments. Native messaging hosts enable bidirectional communication between web content and native applications; improper input validation or access control (CWE-284: Improper Access Control) in this messaging interface allows a remote attacker to craft malicious JavaScript on a website that communicates with the PBE native host. The affected product is identified by CPE cpe:2.3:a:pegasystems:pega_browser_extension_(pbe):*:*:*:*:*:*:*:*, with all versions prior to 3.1.45 confirmed vulnerable by ENISA EUVD-2026-19640.
RemediationAI
Upgrade Pega Browser Extension to version 3.1.45 or later to remediate the native messaging host vulnerability. Users should apply this patch immediately to all systems running PBE within Pega Robotic Automation deployments. Consult Pega's security advisory at https://support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remediation-note for detailed upgrade instructions and validation steps. No interim workarounds have been identified; patching is the primary mitigation.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19640
GHSA-5f74-cm8j-hpf8