CVE-2025-8681
BaseFortify
Publication date: 2025-09-10
Last updated on: 2025-10-29
Assigner: Pegasystems Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pega | pega_platform | From 7.1.0 (inc) to 23.1.5 (exc) |
| pega | pega_platform | From 24.1.0 (inc) to 24.1.3 (exc) |
| pega | pega_platform | From 24.2.0 (inc) to 24.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8681 is a medium severity Stored Cross-Site Scripting (XSS) vulnerability in the Pega Platform affecting versions 7.1.0 to 24.2.2. It allows attackers to inject malicious executable scripts into trusted application code via a user interface component. Exploitation requires a high privileged user with a developer role, limiting the attack surface. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers with developer-level access to inject malicious scripts into the Pega Platform, potentially leading to unauthorized actions or data exposure within the application. However, exploitation requires high privileges, and no client compromises have been reported so far. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2025-8681 vulnerability in Pega Platform, you should update your system to a patched version. Specifically, versions 23.1.5 and 25.1.0 are already patched and require no action. For versions 24.1.3 and 24.2.2, apply the relevant updates or hotfixes: for 24.1.3, apply hotfix HFIX-C2685 or update to 24.1.4 Patch Release; for 24.2.2, apply hotfix HFIX-C2684 or update to 24.2.3 Patch Release. Pega recommends updating to the latest platform releases to ensure all security, feature, and bug fixes are included. [1]