Executive Summary - Action Required
Pega regularly implements security controls designed to safeguard client environments. As part of these efforts, Pega has released patch updates and hotfixes addressing a medium-severity security vulnerability in Pega Platform.
No client compromises have been reported to date; however, remediation is required to ensure continued security.
We would like to thank Jordan Lyons from AFLAC for finding this vulnerability.
| Advisory | Description | Patch Remediation | Hotfix Remediation |
|---|---|---|---|
| N25 | Cross-Site Scripting (XSS) vulnerability | 24.1.4 Patch Release (Targeted for Dec ‘25) 24.2.4 Patch Release (Targeted for Feb ‘26) 25.1.2 Patch Release (Targeted for Jan ‘26) 26.1 Release (Targeted for Q2, ’26) |
No hotfixes provided |
Dates for upcoming patch releases can be found here: Pega Infinity Patch Calendar .
Information regarding the availability of the patch releases will be publicly posted on Pega Support Center on February 16, 2026. We request that clients not discuss this in public forums until after it’s been publicly posted to help ensure ongoing containment of the issue.
Impact
Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.
Issue Details
| Issue Details | Issue: Cross-Site Scripting (XSS) |
|---|---|
| Software/Product | Pega Platform |
| Affected Version(s) | From 8.x to 25.1.1 |
| CVE | CVE-2025-62183 |
| CVSS Rating | Medium – 4.6 |
| Description | Cross-Site Scripting (XSS) |
Hotfixes are not being created and the issue will be addressed only in the patch releases listed above.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, security and bug fixes. See Keeping Current with Pega for details.