Pega Platform Versionen 8.1.0 bis 25.1.1 sind von einer HTML Injection (HTML Injection) Schwachstelle in einer Benutzeroberflächenkomponente betroffen. Erfordert einen hochprivilegierten Benutzer mit einer Entwicklerrolle.

Successful exploitation of CVE-2026-1564 could allow an attacker to inject arbitrary HTML into the Pega Platform user interface. This could be leveraged to execute malicious JavaScript code in the context of a victim's browser, leading to XSS attacks. An attacker could potentially steal session cookies, redirect users to phishing sites, or deface the application. The requirement for a high-privileged developer role limits the immediate blast radius, but a compromised developer account could provide access to sensitive data and configuration settings within the Pega Platform environment. This vulnerability highlights the importance of robust input validation and output encoding within web applications, especially those handling user-supplied data.

1. Reserviert2026-01-28
2. Veröffentlicht2026-04-15
3. Geändert2026-04-16
4. EPSS aktualisiert2026-04-23

The primary mitigation for CVE-2026-1564 is to upgrade Pega Platform to version Infinity 25.1.2 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing stricter input validation and output encoding on user-supplied data within the affected UI components. Web application firewalls (WAFs) configured to detect and block HTML injection attempts can provide an additional layer of defense. Regularly review user access controls and ensure that the principle of least privilege is enforced, limiting the number of users with developer roles. After upgrading, confirm the fix by attempting to inject HTML code into the affected UI component and verifying that it is properly sanitized.