Pega Platform vulnerabilities
27 known vulnerabilities affecting pega/pega_platform.
Total CVEs
27
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH3MEDIUM20LOW1
Vulnerabilities
Page 1 of 2
CVE-2017-11356P3MEDIUMCVSS 6.5PoC≤ 7.2_ml02017-08-02
CVE-2017-11356 [MEDIUM] CWE-200 CVE-2017-11356: The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote
The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users with certain privileges to obtain sensitive configuration information by leveraging a missing access control.
nvd
CVE-2017-11355P4MEDIUMCVSS 6.1PoC≤ 7.2_ml02017-08-02
CVE-2017-11355 [MEDIUM] CWE-79 CVE-2017-11355: Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remot
Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to the System database schema modification page.
nvd
CVE-2023-28094P3CRITICALCVSS 9.8≥ 6.1, ≤ 8.8.32023-06-22
CVE-2023-28094 [CRITICAL] CWE-1393 CVE-2023-28094: Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prio
Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials.
nvd
CVE-2023-32090P3CRITICALCVSS 9.8≥ 6.1, ≤ 7.3.12023-08-07
CVE-2023-32090 [CRITICAL] CWE-1393 CVE-2023-32090: Pega platform clients who are using versions 6.1 through 7.3.1 may be utilizing default credentials
Pega platform clients who are using versions 6.1 through 7.3.1 may be
utilizing default credentials
nvd
CVE-2020-15390P3CRITICALCVSS 9.8v8.4.0.2372021-04-12
CVE-2020-15390 [CRITICAL] CWE-269 CVE-2020-15390: pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper acce
pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo.
nvd
CVE-2019-16387P3HIGHCVSS 8.1v8.32019-11-26
CVE-2019-16387 [HIGH] CWE-668 CVE-2019-16387: PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin
PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_ListDatabases request while using a low-privilege account. (This can perform actions and retrieve data that only an administrator should have access to.) NOTE: The vendor states that this vulnerability was discovered using an administr
nvd
CVE-2023-50168P3HIGHCVSS 7.7fixed in 8.8.52024-03-14
CVE-2023-50168 [HIGH] CWE-611 CVE-2023-50168: Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation.
Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation.
nvd
CVE-2025-9559P3MEDIUMCVSS 6.5≥ 7.1.0, < 23.1.5≥ 24.1.0, ≤ 24.1.3+1 more2025-10-16
CVE-2025-9559 [MEDIUM] CWE-639 CVE-2025-9559: Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference i
Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.
nvd
CVE-2020-8774P4HIGHCVSS 8.8fixed in 8.2.62020-04-29
CVE-2020-8774 [HIGH] CWE-79 CVE-2020-8774: Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in
Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID" function.
nvd
CVE-2024-12211P4MEDIUMCVSS 5.4≥ 8.1, < 23.1.4≥ 24.1.0, < 24.1.2+1 more2025-01-13
CVE-2024-12211 [MEDIUM] CWE-79 CVE-2024-12211: Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.
nvd
CVE-2025-8681P4MEDIUMCVSS 5.4≥ 7.1.0, < 23.1.5≥ 24.1.0, < 24.1.3+1 more2025-09-10
CVE-2025-8681 [MEDIUM] CWE-79 CVE-2025-8681: Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interfa
Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Requires a high privileged user with a developer role.
nvd
CVE-2023-26465P4MEDIUMCVSS 6.1≥ 7.2, ≤ 8.8.12023-06-09
CVE-2023-26465 [MEDIUM] CWE-79 CVE-2023-26465: Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue.
Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue.
nvd
CVE-2022-35654P4MEDIUMCVSS 6.1≥ 8.5.4, ≤ 8.7.32022-08-22
CVE-2022-35654 [MEDIUM] CWE-79 CVE-2022-35654: Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the r
Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.
nvd
CVE-2023-50167P4MEDIUMCVSS 6.1≥ 7.1.7, < 8.8.5v23.1.12024-03-06
CVE-2023-50167 [MEDIUM] CWE-79 CVE-2023-50167: Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html cont
Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content.
nvd
CVE-2025-2161P4MEDIUMCVSS 6.1≥ 7.2.1, < 8.5.5≥ 23.1.0, < 23.1.4+2 more2025-04-14
CVE-2025-2161 [MEDIUM] CWE-79 CVE-2025-2161: Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup
Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup
nvd
CVE-2025-2160P4MEDIUMCVSS 6.1≥ 8.4.3, < 8.5.5≥ 23.1.0, < 23.1.4+2 more2025-04-14
CVE-2025-2160 [MEDIUM] CWE-79 CVE-2025-2160: Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup
Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup
nvd
CVE-2020-23957P4MEDIUMCVSS 6.1≥ 8.4, ≤ 8.4.22020-12-15
CVE-2020-23957 [MEDIUM] CWE-79 CVE-2020-23957: Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter
Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by a pyActivity=Data-TRACERSettings.pzStartTracerSession request to a PRAuth URI.
nvd
CVE-2020-24353P4MEDIUMCVSS 6.1fixed in 8.42020-11-09
CVE-2020-24353 [MEDIUM] CWE-79 CVE-2020-24353: Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header.
Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header.
nvd
CVE-2022-35655P4MEDIUMCVSS 6.1≥ 7.3, ≤ 8.7.32022-08-22
CVE-2022-35655 [MEDIUM] CWE-79 CVE-2022-35655: Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage
Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting.
nvd
CVE-2023-4843P4MEDIUMCVSS 4.8≥ 7.1.0, ≤ 8.8.32023-09-08
CVE-2023-4843 [MEDIUM] CWE-74 CVE-2023-4843: Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utiliz
Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user.
nvd
1 / 2Next →