{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-62184", "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "state": "PUBLISHED", "assignerShortName": "Pega", "dateReserved": "2025-10-07T19:04:27.221Z", "datePublished": "2026-03-31T17:52:07.404Z", "dateUpdated": "2026-03-31T18:33:01.304Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "shortName": "Pega", "dateUpdated": "2026-03-31T17:52:07.404Z"}, "title": "Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component.", "datePublic": "2026-03-31T19:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "affected": [{"vendor": "Pegasystems", "product": "Pega Infinity", "versions": [{"status": "affected", "version": "8.1.0", "lessThan": "Infinity 25.1.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><div>Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none.</div></div>"}]}], "references": [{"url": "https://support.pega.com/support-doc/pega-security-advisory-o25-vulnerability-remediation-note"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Amjad Nayef Qabaha from Integrated Telecom Solutions (INOVAR)", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T18:32:48.299631Z", "id": "CVE-2025-62184", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:33:01.304Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-62184", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T18:32:48.299631Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:32:53.575Z"}}], "cna": {"title": "Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component.", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Amjad Nayef Qabaha from Integrated Telecom Solutions (INOVAR)"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Pegasystems", "product": "Pega Infinity", "versions": [{"status": "affected", "version": "8.1.0", "lessThan": "Infinity 25.1.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-31T19:00:00.000Z", "references": [{"url": "https://support.pega.com/support-doc/pega-security-advisory-o25-vulnerability-remediation-note"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none.", "supportingMedia": [{"type": "text/html", "value": "<div><div>Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none.</div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "shortName": "Pega", "dateUpdated": "2026-03-31T17:52:07.404Z"}}}, "cveMetadata": {"cveId": "CVE-2025-62184", "state": "PUBLISHED", "dateUpdated": "2026-03-31T18:33:01.304Z", "dateReserved": "2025-10-07T19:04:27.221Z", "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "datePublished": "2026-03-31T17:52:07.404Z", "assignerShortName": "Pega"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5AF856D-F80C-4AA3-A569-2DF0DA5E4192", "versionEndIncluding": "25.1.0", "versionStartIncluding": "8.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none."}], "id": "CVE-2025-62184", "lastModified": "2026-04-03T12:49:16.167", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.4, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@pega.com", "type": "Secondary"}]}, "published": "2026-03-31T18:16:44.423", "references": [{"source": "security@pega.com", "tags": ["Vendor Advisory"], "url": "https://support.pega.com/support-doc/pega-security-advisory-o25-vulnerability-remediation-note"}], "sourceIdentifier": "security@pega.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@pega.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.1.0,Infinity 25.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Pega Infinity", "source": "cna", "vendor": "Pegasystems"}, "product": "pega_infinity", "vendor": "pegasystems"}], "analysis": {"en": {"generated_at": "2026-04-03T15:21:55.842354+00:00", "value": {"mitigation_remediation": ["Contact Pegasystems support to obtain the latest security patch or release that addresses the stored XSS flaw.", "Apply the vendor\u2011issued patch or upgrade to a version beyond 25.1.0 as soon as it becomes available.", "Validate and sanitize all user\u2011supplied input in the affected UI component to prevent script injection.", "Limit administrative privileges and enforce role\u2011based access control to reduce the potential attack surface."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting that requires administrative privileges, leading to low confidentiality impact and no integrity impact"}, "threat_synthesis": {"affected_systems": "Pegasystems Pega Infinity, versions 8.1.0 through 25.1.0 are affected by this flaw.", "description_and_impact": "A stored cross\u2011site scripting flaw exists in a user interface component of Pega Platform. The vulnerability allows an attacker who can gain administrative access to inject malicious script that is persisted and executed in the browsers of other users who view the affected interface. Because the attacker merely injects client\u2011side code, the result is a potential phishing or cookie theft scenario, which in turn can lead to low\u2011level confidentiality compromise and no direct influence on data integrity.", "risk_and_exploitability": "The CVSS score of 4.8 indicates a low risk level, and the EPSS score of less than 1% reflects a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires administrative rights; therefore the attack vector is limited to privileged accounts. While the impact to confidentiality is low, the presence of administrative access raises the overall risk for organizations that rely on these versions."}}}}, "created": "2026-03-31T19:53:35.382627+00:00", "updated": "2026-04-03T21:17:28.714324+00:00", "vendors": ["pegasystems", "pegasystems$PRODUCT$pega_infinity"]}