Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Developer-role requirement drives PR:H; stored XSS scope-changes to victim browser (S:C); limited C:L/I:L from script execution; no availability impact.
Primary rating from Vendor (Pega).
CVSS VectorVendor: Pega
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Pega Platform versions 8.1.0 through 25.1.2 are affected by an Stored Cross-site scripting (XSS) vulnerability in a user interface component. Requires a high privileged user with a developer role.
AnalysisAI
Stored cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged developer-role user to inject persistent malicious scripts into a UI component, which execute in the browser context of other users who interact with the affected interface. The CVSS 4.0 score of 4.6 (Medium) reflects the constrained impact - limited confidentiality and integrity exposure with no availability impact - consistent with the PR:H and UI:A prerequisites that substantially reduce real-world risk. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account with the developer role in Pega Platform - a high-privilege condition (PR:H) that limits the attacker population to credentialed insiders or compromised developer accounts. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N) scores 4.6 Medium, accurately reflecting the dual constraints of high-privilege prerequisite (PR:H) and required user interaction (UI:A). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user holding the Pega developer role navigates to the vulnerable UI component and submits a crafted payload containing malicious JavaScript, which the application stores without proper sanitization. When another user - potentially with higher privileges such as an administrator - later loads the affected page and interacts with the content (UI:A), their browser executes the injected script, potentially enabling session token theft or unauthorized actions within the Pega application context. … |
| Remediation | Consult and apply the guidance in the Pega security advisory at https://support.pega.com/support-doc/pega-security-advisory-e26-vulnerability-remediation-note, which is the authoritative source for patch or upgrade instructions. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Pega Infinity
View allAuthorization bypass in Pega Platform versions 8.3.0 through Infinity 25.1.2 allows authenticated users to access additi
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface componen
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interf
Stored cross-site scripting (XSS) in Pega Platform versions 8.1.0 through 25.1.0 allows authenticated administrative use
Reflected cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged a
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44726
GHSA-9j28-r64w-w53x