Skip to main content

Pega Platform CVE-2026-1562

| EUVDEUVD-2026-44726 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-15 Pega GHSA-9j28-r64w-w53x
4.6
CVSS 4.0 · Vendor: Pega
Share

Severity by source

Vendor (Pega) PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.8 MEDIUM

Developer-role requirement drives PR:H; stored XSS scope-changes to victim browser (S:C); limited C:L/I:L from script execution; no availability impact.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Pega).

CVSS VectorVendor: Pega

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 15, 2026 - 17:15 vuln.today

DescriptionCVE.org

Pega Platform versions 8.1.0 through 25.1.2 are affected by an Stored Cross-site scripting (XSS) vulnerability in a user interface component. Requires a high privileged user with a developer role.

AnalysisAI

Stored cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged developer-role user to inject persistent malicious scripts into a UI component, which execute in the browser context of other users who interact with the affected interface. The CVSS 4.0 score of 4.6 (Medium) reflects the constrained impact - limited confidentiality and integrity exposure with no availability impact - consistent with the PR:H and UI:A prerequisites that substantially reduce real-world risk. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain developer-role credentials
Delivery
Authenticate to Pega Platform
Exploit
Inject XSS payload into vulnerable UI component
Execution
Payload persists in application datastore
Persist
Victim user interacts with affected page
Impact
Malicious script executes in victim browser

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account with the developer role in Pega Platform - a high-privilege condition (PR:H) that limits the attacker population to credentialed insiders or compromised developer accounts. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N) scores 4.6 Medium, accurately reflecting the dual constraints of high-privilege prerequisite (PR:H) and required user interaction (UI:A). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user holding the Pega developer role navigates to the vulnerable UI component and submits a crafted payload containing malicious JavaScript, which the application stores without proper sanitization. When another user - potentially with higher privileges such as an administrator - later loads the affected page and interacts with the content (UI:A), their browser executes the injected script, potentially enabling session token theft or unauthorized actions within the Pega application context. …
Remediation Consult and apply the guidance in the Pega security advisory at https://support.pega.com/support-doc/pega-security-advisory-e26-vulnerability-remediation-note, which is the authoritative source for patch or upgrade instructions. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-1562 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy