{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1078", "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "state": "PUBLISHED", "assignerShortName": "Pega", "dateReserved": "2026-01-16T20:29:54.621Z", "datePublished": "2026-04-07T15:04:32.765Z", "dateUpdated": "2026-04-07T19:59:49.928Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "shortName": "Pega", "dateUpdated": "2026-04-07T15:04:32.765Z"}, "title": "An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge.", "datePublic": "2026-04-07T20:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-121", "descriptions": [{"lang": "en", "value": "CAPEC-121: Exploit Process Communication"}]}], "affected": [{"vendor": "Pegasystems", "product": "Pega Robot Studio", "versions": [{"status": "affected", "version": "22.1"}, {"status": "affected", "version": "R25"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The vulnerability could occur if a Robot Runtime user navigates to the malicious website.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><div>An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The vulnerability could occur if a Robot Runtime user navigates to the malicious website.</div></div>"}]}], "references": [{"url": "https://support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remediation-note"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H"}}], "credits": [{"lang": "en", "value": "Ramon Dunker from Achmea, Security Assessment Team", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T19:55:37.122988Z", "id": "CVE-2026-1078", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T19:59:49.928Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1078", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T19:55:37.122988Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T19:55:42.609Z"}}], "cna": {"title": "An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge.", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Ramon Dunker from Achmea, Security Assessment Team"}], "impacts": [{"capecId": "CAPEC-121", "descriptions": [{"lang": "en", "value": "CAPEC-121: Exploit Process Communication"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Pegasystems", "product": "Pega Robot Studio", "versions": [{"status": "affected", "version": "22.1"}, {"status": "affected", "version": "R25"}], "defaultStatus": "unaffected"}], "datePublic": "2026-04-07T20:00:00.000Z", "references": [{"url": "https://support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remediation-note"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The vulnerability could occur if a Robot Runtime user navigates to the malicious website.", "supportingMedia": [{"type": "text/html", "value": "<div><div>An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The vulnerability could occur if a Robot Runtime user navigates to the malicious website.</div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "shortName": "Pega", "dateUpdated": "2026-04-07T15:04:32.765Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1078", "state": "PUBLISHED", "dateUpdated": "2026-04-07T19:59:49.928Z", "dateReserved": "2026-01-16T20:29:54.621Z", "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "datePublished": "2026-04-07T15:04:32.765Z", "assignerShortName": "Pega"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The vulnerability could occur if a Robot Runtime user navigates to the malicious website."}], "id": "CVE-2026-1078", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@pega.com", "type": "Secondary"}]}, "published": "2026-04-07T16:16:23.200", "references": [{"source": "security@pega.com", "url": "https://support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remediation-note"}], "sourceIdentifier": "security@pega.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@pega.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "22.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "R25"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Pega Robot Studio", "source": "cna", "vendor": "Pegasystems"}, "product": "pega_robot_studio", "vendor": "pegasystems"}], "analysis": {"en": {"generated_at": "2026-04-07T22:10:54.493200+00:00", "value": {"mitigation_remediation": ["Apply the remediation steps outlined in Pega\u2019s support advisory A26 to update or patch the Pega Browser Extension."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary file\u2011write through a malicious website used by Pega Browser Extension"}, "threat_synthesis": {"affected_systems": "Pegasystems Pega Robot Studio Robotic Automation versions 22.1 and R25 are affected, particularly when automations operate through Google Chrome or Microsoft Edge. Users running these versions in environments that permit web navigation are at risk.", "description_and_impact": "The Pega Browser Extension used by Pegasystems Pega Robot Studio allows a Robot Runtime user to write files to the local filesystem when a malicious website is visited. This flaw can be leveraged to create or overwrite arbitrary files, potentially installing malware or corrupting critical data, thereby compromising the integrity of the automation environment.", "risk_and_exploitability": "The CVSS score of 7.2 indicates high severity. Although an EPSS score is unavailable, the vulnerability is not excluded from public exploitation. The attack requires a Robot Runtime user or automated process to access a crafted website that hosts malicious code. Once accessed, the extension writes files in the context of the user or automation, enabling a local escalation of privileges and potential lateral spread if privileged files are overwritten."}}}}, "created": "2026-04-08T19:37:15.113457+00:00", "updated": "2026-04-08T19:48:30.723344+00:00", "vendors": ["pegasystems", "pegasystems$PRODUCT$pega_robot_studio"]}