Pegasystems Pega Platform
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Pegasystems Pega Platform.
By the Year
In 2026 there have been 1 vulnerability in Pegasystems Pega Platform. Last year, in 2025 Pega Platform had 3 security vulnerabilities published. Right now, Pega Platform is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 0.00 |
| 2025 | 3 | 6.50 |
| 2024 | 4 | 7.00 |
| 2023 | 3 | 6.10 |
| 2022 | 1 | 6.10 |
| 2021 | 0 | 0.00 |
| 2020 | 1 | 0.00 |
| 2019 | 3 | 5.57 |
It may take a day or so for new Pega Platform vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Pegasystems Pega Platform Security Vulnerabilities
Pega Platform <=25.1.1 Stored XSS in UI component
CVE-2025-62183
- February 17, 2026
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.
XSS
Pega Platform 8.7.524.2.2 IDOR in UI ReadOnly Component
CVE-2025-9559
6.5 - Medium
- October 16, 2025
Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.
Insecure Direct Object Reference / IDOR
Pega Platform XSS via Mashup 8.4.3-24.2.1
CVE-2025-2160
- April 14, 2025
Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup
Pega Platform Stored XSS via Profile (v8.1-24.2)
CVE-2024-12211
- January 13, 2025
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.
XSS via Search in Pega Platform (v8.124.2.0)
CVE-2024-10716
4.8 - Medium
- December 05, 2024
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.
XSS
Pega Platform Improper Code Generation Vulnerability
CVE-2024-10094
9.8 - Critical
- November 20, 2024
Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code
Code Injection
Pega Platform <=24.1.2: Stage HTML Injection (CVE-2024-6702)
CVE-2024-6702
4.8 - Medium
- September 12, 2024
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.
XSS
Pega Platform PDF Injection Disclosure 8.2.123.1.0
CVE-2023-50165
8.6 - High
- January 31, 2024
Pega Platform versions 8.2.1 to Infinity 23.1.0 are affected by an Generated PDF issue that could expose file contents.
SSRF
Pega Platform XSS: Ad-Hoc Case Creation <23.1 (fixed in 23.1)
CVE-2023-32088
6.1 - Medium
- October 18, 2023
Pega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS issue with ad-hoc case creation
XSS
XSS in Pega Platform 8.1+ (task creation)
CVE-2023-32087
6.1 - Medium
- October 18, 2023
Pega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS issue with task creation
XSS
Pega Platform 7.2-8.8.1 XSS Vulnerability
CVE-2023-26465
6.1 - Medium
- June 09, 2023
Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue.
XSS
Pega Platform 8.5.4-8.7.3 XSS via Unauth User Redirect Param
CVE-2022-35654
6.1 - Medium
- August 22, 2022
Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.
XSS
Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID" function.
CVE-2020-8774
- April 29, 2020
Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID" function.
PEGA Platform 7.x and 8.x is vulnerable to Information disclosure
CVE-2019-16386
4.3 - Medium
- November 26, 2019
PEGA Platform 7.x and 8.x is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyActivity=GetWebInfo&target=popup&pzHarnessID=random_harness_id request to get database schema information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect
forced browsing
PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_ListDatabases request while using a low-privilege account
CVE-2019-16387
8.1 - High
- November 26, 2019
PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_ListDatabases request while using a low-privilege account. (This can perform actions and retrieve data that only an administrator should have access to.) NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect
Exposure of Resource to Wrong Sphere
PEGA Platform 8.3.0 is vulnerable to Information disclosure
CVE-2019-16388
4.3 - Medium
- November 26, 2019
PEGA Platform 8.3.0 is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyStream=MyAlerts request to get Audit Log information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect
forced browsing
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Pegasystems Pega Platform or by Pegasystems? Click the Watch button to subscribe.
