Executive Summary - Action Required
Pega regularly implements security controls designed to safeguard client environments. As part of these efforts, Pega will release patch updates addressing one medium-severity security vulnerability in Pega Platform. This issue can only be exploited by users with developer or admin access.
No client compromises have been reported to date; however, remediation is required to ensure continued security.
We would like to thank Amjad Nayef Qabaha from Integrated Telecom Solutions (INOVAR) for finding this vulnerability.
|
Advisory |
Description |
Patch Remediation |
Hotfix Remediation |
|---|---|---|---|
|
D26 |
Cross-Site Scripting (XSS) vulnerability |
24.2.4 Patch Release 25.1.2 Patch Release
|
23.1.5 - HFIX-D587* 24.1.4 - HFIX-D588*
|
* At the time this advisory was originally communicated to clients, hotfixes were not planned, and the issue was expected to be addressed only through the patch releases listed above. This position has now changed, see the Temporary Security Hotfix Policy Amendment section below for additional information.
Dates for upcoming patch releases can be found here: Pega Infinity Patch Calendar
Impact
Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.
Issue Details
| Issue Details | Issue: Cross-Site Scripting (XSS) |
| Software/Product | Pega Platform |
| Affected Version(s) | From 8.x to 25.1.1 |
| CVE | CVE-2026-1711 |
| CVSS Rating | Medium– 4.8 |
| Description | Cross-Site Scripting (XSS) |
Obtaining your Hotfixes
Hotfixes are being created only for the patch releases listed above, under Hotfix Remediation. A restart is not required after hotfix installation. We will not provide hotfixes on prior versions of the platform.
- Pega Cloud® clients, using the versions listed above, will have hotfixes applied proactively, with Cloud Maintenance (CM) cases detailing the schedule. If you are not on a version with a solution provided, please update promptly.
- United States Pega Cloud for Government (PCFG) clients will have Cloud Change (CC) cases created for relevant hotfixes, which Pega will apply. If you are not on a version with a solution provided, please update promptly.
- On-premises or client-managed cloud clients should check the table above for applicable hotfixes and download them directly from My Security Hotfixes on My Pega.
As a best practice, you should update your Pega environment to the latest available release to take advantage of the most recent features, capabilities, security updates, and bug fixes. For guidance, see Keeping Current with Pega.
Temporary Security Hotfix Policy Amendment (Applies to D26)
To support clients during infrastructure migrations, Pega has implemented a temporary amendment to its security hotfix policy starting with the B26 Security Advisory and continuing through the end of extended support for version 24.2.
Under this temporary policy, Pega will provide hotfixes for vulnerabilities on the latest patch versions in both standard and extended support, provided they meet both of the following conditions:
- The vulnerability is rated Medium or higher severity under the Common Vulnerability Scoring System (CVSS), and
- The vulnerability is the subject of an official Pega Security Advisory.
For full details on Pega support policies, refer to the Pega Extended Support Policy.
If you have questions or concerns, please raise a Support Ticket in My Support Portal.