Pega
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Pega product.
RSS Feeds for Pega security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Pega products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Pega Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 0 vulnerabilities in Pega. Last year, in 2025 Pega had 2 security vulnerabilities published. Right now, Pega is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 2 | 5.30 |
| 2024 | 9 | 6.39 |
| 2023 | 10 | 6.85 |
| 2022 | 6 | 7.35 |
| 2021 | 3 | 8.17 |
| 2020 | 5 | 7.33 |
| 2019 | 3 | 5.57 |
| 2018 | 1 | 4.80 |
It may take a day or so for new Pega vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Pega Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-62181 | Dec 10, 2025 |
Pega Platform TimingBased User Enum via Basic Auth Fixed 24.1.4/25.1.1Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html. |
Pega Platform
|
| CVE-2025-2161 | Apr 14, 2025 |
Pega Platform XSS via Mashup before 24.2.1Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup |
Pega Platform
|
| CVE-2024-10716 | Dec 05, 2024 |
XSS via Search in Pega Platform (v8.124.2.0)Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search. |
Infinity
|
| CVE-2024-10094 | Nov 20, 2024 |
Pega Platform Improper Code Generation VulnerabilityPega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code |
Infinity
|
| CVE-2024-6701 | Sep 12, 2024 |
Pega Platform XSS in Case Type (8.124.1.2)Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type. |
Infinity
Pega Platform
|
| CVE-2024-6702 | Sep 12, 2024 |
Pega Platform <=24.1.2: Stage HTML Injection (CVE-2024-6702)Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage. |
Infinity
|
| CVE-2024-6700 | Sep 12, 2024 |
XSS in App Name on Pega Platform 8.1-24.1.2Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name. |
Infinity
|
| CVE-2023-50168 | Mar 14, 2024 |
Pega Platform 6.x-8.8.4: XXE Vulnerability in PDF GenPega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation. |
Pega Platform
|
| CVE-2023-50167 | Mar 06, 2024 |
Pega Platform 7.1.7-23.1.1 XSS via user HTML renderingPega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content. |
Pega Platform
|
| CVE-2023-50166 | Jan 31, 2024 |
Pega Platform XSS via redirect param (8.5.48.8.3)Pega Platform from 8.5.4 to 8.8.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter. |
Platform
|