Pega Platform
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Pega Platform.
By the Year
In 2026 there have been 0 vulnerabilities in Pega Platform. Last year, in 2025 Pega Platform had 2 security vulnerabilities published. Right now, Pega Platform is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 2 | 5.30 |
| 2024 | 3 | 6.20 |
| 2023 | 4 | 7.63 |
| 2022 | 3 | 5.57 |
| 2021 | 1 | 9.80 |
| 2020 | 2 | 6.10 |
| 2019 | 3 | 5.57 |
| 2018 | 1 | 4.80 |
It may take a day or so for new Pega Platform vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Pega Platform Security Vulnerabilities
Pega Platform TimingBased User Enum via Basic Auth Fixed 24.1.4/25.1.1
CVE-2025-62181
5.3 - Medium
- December 10, 2025
Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html.
Observable Response Discrepancy
Pega Platform XSS via Mashup before 24.2.1
CVE-2025-2161
- April 14, 2025
Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup
Pega Platform XSS in Case Type (8.124.1.2)
CVE-2024-6701
4.8 - Medium
- September 12, 2024
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.
XSS
Pega Platform 6.x-8.8.4: XXE Vulnerability in PDF Gen
CVE-2023-50168
7.7 - High
- March 14, 2024
Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation.
XXE
Pega Platform 7.1.7-23.1.1 XSS via user HTML rendering
CVE-2023-50167
6.1 - Medium
- March 06, 2024
Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content.
XSS
HTML Injection in Pega Platform 7.1-8.8.3 name field (VBD)
CVE-2023-4843
4.8 - Medium
- September 08, 2023
Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user.
XSS
Pega Platform <7.3.1 Default Credentials Vulnerability
CVE-2023-32090
9.8 - Critical
- August 07, 2023
Pega platform clients who are using versions 6.1 through 7.3.1 may be utilizing default credentials
authentification
Pega Platform v7.4-8.8.x default creds after pre-8.x upgrade
CVE-2023-28094
9.8 - Critical
- June 22, 2023
Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials.
Pega Platform 7.2-8.8.1 XSS Vulnerability
CVE-2023-26465
6.1 - Medium
- June 09, 2023
Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue.
XSS
Pega Platform 8.5.4-8.7.3 XSS via Unauth User Redirect Param
CVE-2022-35654
6.1 - Medium
- August 22, 2022
Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.
XSS
Pega Platform 7.3-8.7.3 Datapage XSS Vulnerability
CVE-2022-35655
6.1 - Medium
- August 22, 2022
Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting.
XSS
Pega Platform 8.38.7.3 Auth Admins Can Alter CSRF Settings
CVE-2022-35656
4.5 - Medium
- August 22, 2022
Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly.
Session Riding
pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration
CVE-2020-15390
9.8 - Critical
- April 12, 2021
pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo.
Improper Privilege Management
Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS)
CVE-2020-23957
6.1 - Medium
- December 15, 2020
Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by a pyActivity=Data-TRACERSettings.pzStartTracerSession request to a PRAuth URI.
XSS
Pega Platform before 8.4.0 has a XSS issue
CVE-2020-24353
6.1 - Medium
- November 09, 2020
Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header.
XSS
PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_ListDatabases request while using a low-privilege account
CVE-2019-16387
8.1 - High
- November 26, 2019
PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_ListDatabases request while using a low-privilege account. (This can perform actions and retrieve data that only an administrator should have access to.) NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect
Exposure of Resource to Wrong Sphere
PEGA Platform 7.x and 8.x is vulnerable to Information disclosure
CVE-2019-16386
4.3 - Medium
- November 26, 2019
PEGA Platform 7.x and 8.x is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyActivity=GetWebInfo&target=popup&pzHarnessID=random_harness_id request to get database schema information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect
forced browsing
PEGA Platform 8.3.0 is vulnerable to Information disclosure
CVE-2019-16388
4.3 - Medium
- November 26, 2019
PEGA Platform 8.3.0 is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyStream=MyAlerts request to get Audit Log information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect
forced browsing
An XSS issue was discovered in Designer Studio in Pegasystems Pega Platform 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2, 7.2.1, and 7.2.2
CVE-2017-17478
4.8 - Medium
- February 27, 2018
An XSS issue was discovered in Designer Studio in Pegasystems Pega Platform 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2, 7.2.1, and 7.2.2. A user with developer credentials can insert malicious code (up to 64 characters) into a text field in Designer Studio, after establishing context. Designer Studio is the developer workbench for Pega Platform. That XSS payload will execute when other developers visit the affected pages.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Pega Platform or by Pega? Click the Watch button to subscribe.
