CVE-2025-62184
Stored XSS in Pega Platform UI Component Requires Admin Access
Publication date: 2026-03-31
Last updated on: 2026-04-03
Assigner: Pegasystems Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pega | pega_platform | From 8.1 (inc) to 25.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62184 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability affecting Pega Platform versions 8.1.0 through 25.1.0. It exists in a user interface component and allows an attacker to inject malicious executable scripts into the trusted application code.
Exploitation typically involves tricking an administrative user, who has extensive access rights, into clicking a malicious link. This can lead to the execution of malicious scripts within the context of the trusted application.
How can this vulnerability impact me? :
The impact of this vulnerability is considered medium severity with low impact on confidentiality and no impact on integrity, given that exploitation requires an administrative user with extensive access rights.
If exploited, an attacker could execute malicious scripts within the Pega Platform environment, potentially compromising users who have access to Pega Prediction Studio. However, no compromises have been reported so far.
Users are strongly advised to update to the latest patch releases to mitigate this risk.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2025-62184 vulnerability, users are strongly advised to update their Pega Platform installations to the latest patch releases.
- Apply patch version 24.1.4 or later if using version 24.x.
- Apply patch version 24.2.4 or later when it becomes available.
- Upgrade to version 25.1.1 or later if using version 25.1.0.
No hotfixes will be issued for this vulnerability, so patching is the recommended and only supported remediation method.
For further assistance or questions, users should raise support tickets via the Pega Support Portal.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Stored Cross-site Scripting (XSS) issue that requires an administrative user with extensive access rights to exploit. The impact on confidentiality is low and there is no impact on integrity.
Given the low confidentiality impact and the requirement for high privileges, the vulnerability may pose a limited risk to compliance with standards like GDPR or HIPAA, which emphasize protecting sensitive data and maintaining data integrity.
However, since the vulnerability allows injection of malicious scripts into trusted application code, it could potentially be leveraged to compromise user sessions or data if exploited, which might raise concerns under these regulations if not properly mitigated.
Pega has released patches to address this vulnerability, and applying these updates is strongly advised to reduce risk and maintain compliance with security best practices required by such standards.