Executive Summary - Action Required
Pega regularly implements security controls designed to safeguard client environments. As part of these efforts, Pega will release patch updates addressing two medium-severity security vulnerabilities in Pega Platform. These issues can only be exploited by users with developer/admin access.
No compromises have been reported to date; however, remediation is required to ensure continued security.
We would like to thank Michal Skowron from ING Hubs Poland for finding these vulnerabilities.
|
Advisory |
Description |
Patch Remediation |
Hotfix Remediation |
|---|---|---|---|
|
E26 |
Two Cross-Site Scripting (XSS) vulnerabilities (Dev Studio) |
24.2.4 Patch Release 25.1.3 Patch Release (Targeted for May 20 ‘26)
|
23.1.5 – HFIX-D578* 24.1.4 – HFIX-D579* 25.1.2 – HFIX-D580* |
*At the time this advisory was originally communicated to clients, hotfixes were not planned, and the issue was expected to be addressed only through the patch releases listed above. This position has now changed, see the Temporary Change to our Security Hotfix Policy section below for additional information.
Dates for upcoming patch releases can be found here: Pega Infinity Patch Calendar.
Impact
Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.
Issue Details
|
Issue Details |
Cross-Site Scripting (XSS) |
Cross-Site Scripting (XSS) |
|---|---|---|
|
Software/Product |
Pega Platform |
Pega Platform |
|
Affected Version(s) |
From 8.x to 25.1.2 |
From 8.x to 25.1.2 |
|
CVE |
CVE-2026-1562 |
CVE-2026-1563 |
|
CVSS Rating |
Medium– 4.6 |
Medium– 4.8 |
|
Description |
Cross-Site Scripting (XSS) |
Cross-Site Scripting (XSS) |
Obtaining your Hotfixes
Hotfixes are being created only for the patch releases listed above, under Hotfix Remediation. A restart is not required after hotfix installation. We will not provide hotfixes on prior versions of the platform.
- Pega Cloud® clients, using the versions listed above, will have hotfixes applied proactively, with Cloud Maintenance (CM) cases detailing the schedule. If you are not on a version with a solution provided, please update promptly.
- United States Pega Cloud for Government (PCFG) clients will have Cloud Change (CC) cases created for relevant hotfixes, which Pega will apply. If you are not on a version with a solution provided, please update promptly.
- On-premises or client-managed cloud clients should check the table above for applicable hotfixes and download them directly from My Security Hotfixes on My Pega.
As a best practice, you should update your Pega environment to the latest available release to take advantage of the most recent features, capabilities, security updates, and bug fixes. For guidance, see Keeping Current with Pega.
Temporary Change to our Security Hotfix Policy (Applies to E26)
To support clients during their infrastructure migrations, we are announcing a temporary amendment to our hotfix policy starting with the B26 Security Advisory, effective through the end of extended support for version 24.2.
Under this temporary policy, we will provide hotfixes for vulnerabilities on the latest patch versions in both standard and extended support, provided they meet both of the following conditions:
- The vulnerability is rated as 'Medium' or higher severity by the Common Vulnerability Scoring System (CVSS).
- The vulnerability has prompted an official Security Advisory from Pega.
For full details on our support policies, please refer to the Pega Extended Support Policy.
If you have any questions of concerns, please raise a ticket in My Support Portal.