Executive Summary - Action Required
Pega regularly implements security controls designed to safeguard client environments. As part of these efforts, Pega will release patch updates addressing one medium-severity security vulnerability in Pega Platform. This issue can only be exploited by users with developer/admin access.
No client compromises have been reported to date; however, remediation is required to ensure continued security.
We would like to thank Michal Skowron from ING Hubs Poland for finding this vulnerability.
|
Advisory |
Description |
Patch Remediation |
Hotfix Remediation |
|---|---|---|---|
|
B26 |
HTML Injection (Prediction Studio) |
24.2.4 Patch Release 25.1.2 Patch Release
|
23.1.5 – HFIX-D585* 24.1.4 - HFIX-D586*
|
*At the time this advisory was originally communicated to clients, hotfixes were not planned, and the issue was expected to be addressed only through the patch releases listed above. This position has now changed, see the Temporary change to Security Hotfix Policy section below for additional information.
Dates for upcoming patch releases can be found here: Pega Infinity Patch Calendar.
Information regarding the availability of the patch releases will be publicly posted on Pega Support Center on April 15, 2026. We request that clients not discuss this in public forums until after this issue has been publicly posted to help ensure that all customers have adequate time to apply the necessary patches.
Impact
HTML Injection is an attack that is similar to cross-site scripting (XSS). While in the XSS vulnerability the attacker can inject and execute Javascript code, the HTML injection attack only allows the injection of certain HTML tags. Attackers often initiate an HTML injection attack by sending a malicious link to a user and enticing the user to click it.
Issue Details
|
Issue Details |
HTML Injection |
|---|---|
|
Software/Product |
Pega Platform |
|
Affected Version(s) |
From 8.x to 25.1.1 |
|
CVE |
CVE-2026-1564 |
|
CVSS Rating |
Medium– 4.6 |
|
Description |
HTML Injection |
Obtaining your Hotfixes
Hotfixes are being created only for the patch releases listed above, under Hotfix Remediation. A restart is not required after hotfix installation. We will not provide hotfixes on prior versions of the platform.
- Pega Cloud® clients, using the versions listed above, will have hotfixes applied proactively, with Cloud Maintenance (CM) cases detailing the schedule. If you are not on a version with a solution provided, please update promptly.
- United States Pega Cloud for Government (PCFG) clients will have Cloud Change (CC) cases created for relevant hotfixes, which Pega will apply. If you are not on a version with a solution provided, please update promptly.
- On-premises or client-managed cloud clients should check the table above for applicable hotfixes and download them directly from My Security Hotfixes on My Pega.
As a best practice, you should update your Pega environment to the latest available release to take advantage of the most recent features, capabilities, security updates, and bug fixes. For guidance, see Keeping Current with Pega.
Temporary change to Security hotfix policy (Applies to B26)
To support clients during their infrastructure migrations, we are announcing a temporary amendment to our hotfix policy starting with the B26 Security Advisory, effective through the end of extended support for version 24.2.
Under this temporary policy, we will provide hotfixes for vulnerabilities on the latest patch versions in both standard and extended support, provided they meet both of the following conditions:
- The vulnerability is rated as 'Medium' or higher severity by the Common Vulnerability Scoring System (CVSS).
- The vulnerability has prompted an official Security Advisory from Pega.
For full details on our support policies, please refer to the Pega Extended Support Policy
If you have any questions of concerns, please raise a ticket in My Support Portal.