CVE-2025-62184
Received Received - Intake
Stored XSS in Pega Platform UI Component Requires Admin Access

Publication date: 2026-03-31

Last updated on: 2026-04-03

Assigner: Pegasystems Inc.

Description
Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62184
EUVD
EUVD-2025-209147
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pega pega_platform From 8.1 (inc) to 25.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-62184 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability affecting Pega Platform versions 8.1.0 through 25.1.0. It exists in a user interface component and allows an attacker to inject malicious executable scripts into the trusted application code.

Exploitation typically involves tricking an administrative user, who has extensive access rights, into clicking a malicious link. This can lead to the execution of malicious scripts within the context of the trusted application.

Impact Analysis

The impact of this vulnerability is considered medium severity with low impact on confidentiality and no impact on integrity, given that exploitation requires an administrative user with extensive access rights.

If exploited, an attacker could execute malicious scripts within the Pega Platform environment, potentially compromising users who have access to Pega Prediction Studio. However, no compromises have been reported so far.

Users are strongly advised to update to the latest patch releases to mitigate this risk.

Mitigation Strategies

To mitigate the CVE-2025-62184 vulnerability, users are strongly advised to update their Pega Platform installations to the latest patch releases.

  • Apply patch version 24.1.4 or later if using version 24.x.
  • Apply patch version 24.2.4 or later when it becomes available.
  • Upgrade to version 25.1.1 or later if using version 25.1.0.

No hotfixes will be issued for this vulnerability, so patching is the recommended and only supported remediation method.

For further assistance or questions, users should raise support tickets via the Pega Support Portal.

Compliance Impact

The vulnerability is a Stored Cross-site Scripting (XSS) issue that requires an administrative user with extensive access rights to exploit. The impact on confidentiality is low and there is no impact on integrity.

Given the low confidentiality impact and the requirement for high privileges, the vulnerability may pose a limited risk to compliance with standards like GDPR or HIPAA, which emphasize protecting sensitive data and maintaining data integrity.

However, since the vulnerability allows injection of malicious scripts into trusted application code, it could potentially be leveraged to compromise user sessions or data if exploited, which might raise concerns under these regulations if not properly mitigated.

Pega has released patches to address this vulnerability, and applying these updates is strongly advised to reduce risk and maintain compliance with security best practices required by such standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62184. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart