CVE-2026-1562
Received Received - Intake

Stored XSS in Pega Platform

Vulnerability report for CVE-2026-1562, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: Pegasystems Inc.

Description

Pega Platform versions 8.1.0 through 25.1.2 are affected by an Stored Cross-site scripting (XSS) vulnerability in a user interface component. Requires a high privileged user with a developer role.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
pega platform From 8.1.0 (inc) to 25.1.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a Stored Cross-site Scripting (XSS) vulnerability in Pega Platform versions 8.1.0 through 25.1.2. It requires a high-privileged user with a developer role to exploit. The vulnerability allows malicious scripts to be stored on the platform and executed when other users access the affected component.

Impact Analysis

An attacker with developer access could inject malicious scripts into the platform. This could lead to unauthorized actions, data theft, or session hijacking for other users accessing the compromised interface.

Compliance Impact

Stored XSS vulnerabilities can expose sensitive user data, violating GDPR's data protection requirements and HIPAA's security rules. Compliance may be impacted if user data is compromised due to this vulnerability.

Detection Guidance

Detection requires checking Pega Platform versions 8.1.0 through 25.1.2 for the presence of the XSS vulnerability. Review user roles with developer or admin access to identify potential exploitation vectors. No specific commands are provided in the resources.

Mitigation Strategies

Apply available hotfixes for versions 23.1.5, 24.1.4, and 25.1.2 or upgrade to patched versions 24.2.4, 25.1.3. Hotfixes do not require a restart and are applied proactively for Pega Cloud clients. On-premises clients should download hotfixes from My Security Hotfixes on My Pega.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1562. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart