CVE-2025-62180
published 2026-06-23CVE-2025-62180: Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional…
PriorityP339high7.1CVSS 4.0
AVNACLATNPRLUINVCHVINVALSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.21%
11.9th percentile
Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pegasystems | pega_infinity | >= 8.3.0 < Infinity 25.1.3 | Infinity 25.1.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Pegasystems Pega Infinity up to Infinity 25.1.2 authorization
vuldb·2026-06-24·CVSS 7.1
CVE-2025-62180 [HIGH] Pegasystems Pega Infinity up to Infinity 25.1.2 authorization
A vulnerability marked as critical has been reported in Pegasystems Pega Infinity up to Infinity 25.1.2. Affected is an unknown function. The manipulation leads to authorization bypass.
This vulnerability is uniquely identified as CVE-2025-62180. The attack is possible to be carried out remotely. No exploit exists.
It is suggested to upgrade the affected component.
GHSA
Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.
ghsa_unreviewed·2026-06-23
CVE-2025-62180 [HIGH] CWE-639 Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.
Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-23
Published