Plattform
other
Komponente
pega-platform
Behoben in
25.1.2
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Pega Platform versions 8.1.0 through 25.1.1. This vulnerability resides within a user interface component and allows an attacker to inject malicious scripts. Successful exploitation requires a high-privileged user with a developer role, potentially granting access to sensitive data or enabling further malicious actions within the platform. The vulnerability is resolved in version Infinity 25.1.2.
Successful exploitation of CVE-2026-1711 could allow an attacker to inject malicious JavaScript code into the Pega Platform user interface. Because the script is stored on the server, it will be executed whenever a user accesses the affected page, potentially impacting a wide range of users. An attacker could steal session cookies, redirect users to phishing sites, deface the application, or execute arbitrary code in the context of the victim's browser. The requirement for a high-privileged developer role limits the initial attack vector, but a compromised developer account could provide access to sensitive data and configuration settings within the Pega Platform environment. This vulnerability highlights the importance of robust input validation and output encoding within web applications.
CVE-2026-1711 was published on 2026-04-15. Currently, there are no publicly known exploits or active campaigns targeting this vulnerability. Its exploitation probability is considered low due to the requirement for a high-privileged developer role. It is not listed on KEV or EPSS. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Organizations heavily reliant on Pega Platform for critical business processes, particularly those with a large number of users with developer roles, are at increased risk. Environments with legacy Pega Platform deployments or those lacking robust input validation practices are also more vulnerable.
disclosure
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-1711 is to upgrade Pega Platform to version Infinity 25.1.2 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing stricter input validation and output encoding on user-supplied data within the affected UI components. Web application firewalls (WAFs) configured to detect and block XSS attempts can provide an additional layer of defense. Regularly review user access controls and ensure that the principle of least privilege is enforced, limiting the number of users with developer roles. After upgrading, confirm the fix by attempting to inject a malicious script into the affected UI component and verifying that it is properly sanitized.
Actualice Pega Platform a la versión 25.1.2 o posterior para mitigar la vulnerabilidad de XSS. Consulte la nota de remediación de seguridad de Pegasystems (https://support.pega.com/support-doc/pega-security-advisory-d26-vulnerability-remediation-note) para obtener instrucciones detalladas y pasos de mitigación.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-1711 is a Stored Cross-Site Scripting (XSS) vulnerability affecting Pega Platform versions 8.1.0 through 25.1.1, allowing malicious script injection via a user interface component requiring a developer role.
If you are using Pega Platform versions 8.1.0 through 25.1.1 and have users with developer roles, you are potentially affected by this vulnerability.
Upgrade Pega Platform to version Infinity 25.1.2 or later to resolve the vulnerability. Consider input validation and role restrictions as interim measures.
As of the current disclosure date, there are no confirmed reports of active exploitation of CVE-2026-1711.
Refer to the official Pega Platform security advisory for detailed information and updates regarding CVE-2026-1711.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.