Pega Platform CVE-2026-1563
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered reflected XSS requiring developer credentials (PR:H), victim interaction (UI:R), and scope change to victim browser (S:C); no availability impact.
Primary rating from Vendor (Pega).
CVSS VectorVendor: Pega
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Pega Platform versions 8.1.0 through 25.1.2 are affected by an Reflected Cross-site scripting (XSS) vulnerability in a user interface component. Requires a high privileged user with a developer role.
AnalysisAI
Reflected cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged attacker holding a developer role to inject malicious scripts into a user interface component, which execute in a victim's browser upon interaction. The CVSS 4.0 score of 4.8 (Medium) reflects meaningful constraints: exploitation requires both developer-level authentication and a victim's active interaction with a crafted link or payload. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold an active, authenticated session in Pega Platform with a developer role assigned - this is a high-privilege, non-default role not granted to ordinary end users. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 4.8 (Medium) is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A Pega developer who is authenticated to the platform (or whose credentials have been compromised) crafts a malicious URL targeting the vulnerable UI component, embedding a reflected XSS payload in a query parameter. The attacker sends this URL to another Pega user - for example, a business administrator - via phishing or internal messaging; when the victim clicks the link and the page renders, the injected script executes in the victim's browser session, potentially harvesting the victim's Pega session token or performing actions on their behalf. … |
| Remediation | Organizations should consult the Pega Security Advisory E26 at https://support.pega.com/support-doc/pega-security-advisory-e26-vulnerability-remediation-note for the vendor-recommended patch or upgrade path. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Pega Infinity
View allAuthorization bypass in Pega Platform versions 8.3.0 through Infinity 25.1.2 allows authenticated users to access additi
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface componen
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interf
Stored cross-site scripting (XSS) in Pega Platform versions 8.1.0 through 25.1.0 allows authenticated administrative use
Stored cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged deve
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today