Skip to main content

Pega Infinity

6 CVEs product

Monthly

CVE-2026-1563 MEDIUM This Month

Reflected cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged attacker holding a developer role to inject malicious scripts into a user interface component, which execute in a victim's browser upon interaction. The CVSS 4.0 score of 4.8 (Medium) reflects meaningful constraints: exploitation requires both developer-level authentication and a victim's active interaction with a crafted link or payload. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

XSS Pega Infinity
NVD
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-1562 MEDIUM This Month

Stored cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged developer-role user to inject persistent malicious scripts into a UI component, which execute in the browser context of other users who interact with the affected interface. The CVSS 4.0 score of 4.6 (Medium) reflects the constrained impact - limited confidentiality and integrity exposure with no availability impact - consistent with the PR:H and UI:A prerequisites that substantially reduce real-world risk. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Pega Infinity
NVD
CVSS 4.0
4.6
EPSS
0.3%
CVE-2025-62180 HIGH This Week

Authorization bypass in Pega Platform versions 8.3.0 through Infinity 25.1.2 allows authenticated users to access additional data they should not be permitted to view by submitting crafted URLs. The flaw is a CWE-639 authorization key manipulation issue affecting Pega Infinity deployments, with no public exploit identified at time of analysis and high confidentiality impact per the vendor-provided CVSS 4.0 vector.

Authentication Bypass Pega Infinity
NVD
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-1711 MEDIUM This Month

Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.

XSS Pega Infinity
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-1564 MEDIUM This Month

Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.

XSS Pega Infinity
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-62184 MEDIUM This Month

Stored cross-site scripting (XSS) in Pega Platform versions 8.1.0 through 25.1.0 allows authenticated administrative users with extensive access rights to inject malicious scripts into user interface components, potentially compromising the confidentiality of other users who interact with affected UI elements. The vulnerability requires high-privilege administrative access and user interaction to exploit, resulting in a CVSS 4.8 (low severity) with no integrity or availability impact. No public exploit code or active exploitation has been identified at time of analysis.

XSS Pega Infinity
NVD
CVSS 4.0
4.8
EPSS
0.0%
EPSS 0% CVSS 4.8
MEDIUM This Month

Reflected cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged attacker holding a developer role to inject malicious scripts into a user interface component, which execute in a victim's browser upon interaction. The CVSS 4.0 score of 4.8 (Medium) reflects meaningful constraints: exploitation requires both developer-level authentication and a victim's active interaction with a crafted link or payload. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

XSS Pega Infinity
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

Stored cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged developer-role user to inject persistent malicious scripts into a UI component, which execute in the browser context of other users who interact with the affected interface. The CVSS 4.0 score of 4.6 (Medium) reflects the constrained impact - limited confidentiality and integrity exposure with no availability impact - consistent with the PR:H and UI:A prerequisites that substantially reduce real-world risk. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Pega Infinity
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Authorization bypass in Pega Platform versions 8.3.0 through Infinity 25.1.2 allows authenticated users to access additional data they should not be permitted to view by submitting crafted URLs. The flaw is a CWE-639 authorization key manipulation issue affecting Pega Infinity deployments, with no public exploit identified at time of analysis and high confidentiality impact per the vendor-provided CVSS 4.0 vector.

Authentication Bypass Pega Infinity
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.

XSS Pega Infinity
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.

XSS Pega Infinity
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting (XSS) in Pega Platform versions 8.1.0 through 25.1.0 allows authenticated administrative users with extensive access rights to inject malicious scripts into user interface components, potentially compromising the confidentiality of other users who interact with affected UI elements. The vulnerability requires high-privilege administrative access and user interaction to exploit, resulting in a CVSS 4.8 (low severity) with no integrity or availability impact. No public exploit code or active exploitation has been identified at time of analysis.

XSS Pega Infinity
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy