Skip to main content

Pega Platform CVE-2026-1563

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-15 Pega
4.8
CVSS 4.0 · Vendor: Pega
Share

Severity by source

Vendor (Pega) PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.8 MEDIUM

Network-delivered reflected XSS requiring developer credentials (PR:H), victim interaction (UI:R), and scope change to victim browser (S:C); no availability impact.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Pega).

CVSS VectorVendor: Pega

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 15, 2026 - 17:15 vuln.today

DescriptionCVE.org

Pega Platform versions 8.1.0 through 25.1.2 are affected by an Reflected Cross-site scripting (XSS) vulnerability in a user interface component. Requires a high privileged user with a developer role.

AnalysisAI

Reflected cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged attacker holding a developer role to inject malicious scripts into a user interface component, which execute in a victim's browser upon interaction. The CVSS 4.0 score of 4.8 (Medium) reflects meaningful constraints: exploitation requires both developer-level authentication and a victim's active interaction with a crafted link or payload. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker holds developer-role credentials
Delivery
Identify vulnerable UI component parameter
Exploit
Craft reflected XSS payload in URL
Install
Deliver malicious link to target user via phishing
C2
Victim clicks link and renders page
Execute
Injected script executes in victim's browser
Impact
Steal session token or perform limited DOM actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold an active, authenticated session in Pega Platform with a developer role assigned - this is a high-privilege, non-default role not granted to ordinary end users. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 4.8 (Medium) is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A Pega developer who is authenticated to the platform (or whose credentials have been compromised) crafts a malicious URL targeting the vulnerable UI component, embedding a reflected XSS payload in a query parameter. The attacker sends this URL to another Pega user - for example, a business administrator - via phishing or internal messaging; when the victim clicks the link and the page renders, the injected script executes in the victim's browser session, potentially harvesting the victim's Pega session token or performing actions on their behalf. …
Remediation Organizations should consult the Pega Security Advisory E26 at https://support.pega.com/support-doc/pega-security-advisory-e26-vulnerability-remediation-note for the vendor-recommended patch or upgrade path. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-1563 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy