Executive Summary- Action Required
Pega regularly implements security controls designed to safeguard client environments. As part of these efforts, Pega will release patch updates and hotfixes addressing two high-severity security vulnerabilities in Pega Platform.
No client compromises have been reported to date; however, remediation is required to ensure continued security.
|
Advisory |
Description |
Impact |
Patch Remediation |
Hotfix Remediation |
|---|---|---|---|---|
|
C26 |
Two Cross-Site Scripting (XSS) vulnerabilities |
Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.
|
24.2.4 Patch Release (Targeted for Mar 11 ‘26) 25.1.2 Patch Release (Targeted for Feb 12 ‘26)
|
23.1.5 hotfix – HFIX-D174 24.1.4 hotfix – HFIX-D178 24.2.3 hotfix – HFIX-D175 25.1.1 hotfix – HFIX-D176 |
Dates for all upcoming Infinity patch releases can be found here: Pega Infinity Patch Calendar.
Impact
Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.
Issue Details
|
Issue Details |
Issue: XSS issue with mashup |
Issue: XSS issue with mashup |
|---|---|---|
|
Software/Product |
Pega Platform |
Pega Platform |
|
Affected Version(s) |
From 8.4.3 to 25.1.1 |
From 7.2.1 to 25.1.1 |
| CVE ID | No CVE | No CVE |
|
CVSS Rating (CVSS 4.0) |
High- 8.1 |
High- 7.1 |
|
Description |
Reflected Cross-Site Scripting (XSS) |
Reflected Cross-Site Scripting (XSS) |
Obtaining your Hotfixes
Hotfixes are being created only for the patch releases listed above, under Hotfix Remediation. A restart is needed after hotfix installation. We will not provide hotfixes on prior versions of the platform.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, security, and bug fixes. See Keeping Current with Pega for details.
- Pega Cloud® clients, using the versions listed above, will have hotfixes applied proactively, with Cloud Maintenance (CM) cases detailing the schedule. If you are not on a version with a solution provided, please update promptly.
- United States Pega Cloud for Government (PCFG) clients will have Cloud Change (CC) cases created for relevant hotfixes, which Pega will apply. If you are not on a version with a solution provided, please update promptly.
- On-premises or client-managed cloud clients should check the table above for applicable hotfixes and download them directly from My Security Hotfixes on My Pega.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, security and bug fixes. See Keeping Current with Pega for details.
If you have questions or concerns, please raise a Support Ticket in My Support Portal.