Executive Summary - Action Required
Pega regularly implements security controls designed to safeguard client environments. As part of these efforts, Pega has released patch updates and hotfixes addressing a medium-severity security vulnerability in Pega Platform. This issue can only be exploited by users with Pega Prediction Studio access.
No compromises have been reported to date; however, remediation is required to ensure continued security.
We would like to thank Amjad Nayef Qabaha from Integrated Telecom Solutions (INOVAR) for finding this vulnerability.
|
Advisory |
Description |
Patch Remediation |
Hotfix Remediation |
|---|---|---|---|
|
O25 |
Cross-Site Scripting (XSS) vulnerability |
24.1.4 Patch Release 24.2.4 Patch Release (Targeted for March ‘26) 25.1.0 Release (25.1.1 release is Available) |
No hotfixes provided |
Dates for upcoming patch releases can be found here: Pega Infinity Patch Calendar.
Impact
Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.
Issue Details
|
Issue Details |
Issue: Cross-Site Scripting (XSS) |
|---|---|
|
Software/Product |
Pega Platform |
|
Affected Version(s) |
From 8.x to 25.1.0 |
|
CVE |
CVE-2025-62184 |
|
CVSS Rating |
Medium– 4.8 |
|
Description |
Cross-Site Scripting (XSS) |
Hotfixes are not being created, and the issue will be addressed only in the patch releases listed above.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, security and bug fixes. See Keeping Current with Pega for details.
If you have questions or concerns, please raise a Support Ticket in My Support Portal.