Platform
other
Component
pega-platform
Fixed in
25.1.2
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Pega Platform versions 8.1.0 through 25.1.1. This vulnerability resides within a user interface component and allows an attacker to inject malicious scripts. Successful exploitation requires a high-privileged user with a developer role, potentially granting access to sensitive data or enabling further malicious actions within the platform. The vulnerability is resolved in version Infinity 25.1.2.
The impact of this XSS vulnerability is significant, particularly given the requirement for a high-privileged user. An attacker who can successfully inject and execute malicious scripts could potentially steal session cookies, hijack user accounts, or deface the Pega Platform interface. This could lead to unauthorized access to sensitive data, modification of business processes, and disruption of critical operations. The attacker's ability to leverage a developer role amplifies the potential for lateral movement within the Pega environment, potentially compromising other systems and data.
CVE-2026-1711 was publicly disclosed on 2026-04-15. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the requirement for a privileged user and the lack of public exploits, the probability of exploitation is currently considered low.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
The primary mitigation for CVE-2026-1711 is to upgrade Pega Platform to version Infinity 25.1.2 or later, which contains the fix. If an immediate upgrade is not feasible, consider restricting access to the vulnerable user interface component for users without a legitimate need. Implement strict input validation and output encoding on all user-supplied data to minimize the risk of XSS attacks. Regularly review user roles and permissions to ensure that only authorized personnel have developer access.
Update Pega Platform to version 25.1.2 or later to mitigate the XSS vulnerability. Refer to the Pegasystems security remediation note (https://support.pega.com/support-doc/pega-security-advisory-d26-vulnerability-remediation-note) for detailed instructions and mitigation steps.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1711 is a Stored Cross-Site Scripting (XSS) vulnerability affecting Pega Platform versions 8.1.0 through 25.1.1, allowing malicious script injection via a user interface component requiring a developer role.
If you are using Pega Platform versions 8.1.0 through 25.1.1 and have users with developer roles, you are potentially affected by this vulnerability.
Upgrade Pega Platform to version Infinity 25.1.2 or later to resolve the vulnerability. Consider input validation and role restrictions as interim measures.
As of the current disclosure date, there are no confirmed reports of active exploitation of CVE-2026-1711.
Refer to the official Pega Platform security advisory for detailed information and updates regarding CVE-2026-1711.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.