{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1564", "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "state": "PUBLISHED", "assignerShortName": "Pega", "dateReserved": "2026-01-28T19:59:26.073Z", "datePublished": "2026-04-15T21:31:19.982Z", "dateUpdated": "2026-04-16T14:16:54.925Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "shortName": "Pega", "dateUpdated": "2026-04-15T21:31:19.982Z"}, "title": "Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.", "datePublic": "2026-04-15T22:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-80", "description": "CWE-80: Improper Neutralization of Script Related HTML Tags in a Web Page", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-18", "descriptions": [{"lang": "en", "value": "CAPEC-18: XSS Targeting Non-Script Elements"}]}], "affected": [{"vendor": "Pegasystems", "product": "Pega Infinity", "versions": [{"status": "affected", "version": "8.1.0", "lessThan": "Infinity 25.1.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><div>Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.</div></div>"}]}], "references": [{"url": "https://support.pega.com/support-doc/pega-security-advisory-b26-vulnerability-remediation-note"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Michal Skowron from ING Hubs Poland", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T14:16:39.665831Z", "id": "CVE-2026-1564", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:16:54.925Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1564", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T14:16:39.665831Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:16:48.369Z"}}], "cna": {"title": "Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Michal Skowron from ING Hubs Poland"}], "impacts": [{"capecId": "CAPEC-18", "descriptions": [{"lang": "en", "value": "CAPEC-18: XSS Targeting Non-Script Elements"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Pegasystems", "product": "Pega Infinity", "versions": [{"status": "affected", "version": "8.1.0", "lessThan": "Infinity 25.1.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2026-04-15T22:00:00.000Z", "references": [{"url": "https://support.pega.com/support-doc/pega-security-advisory-b26-vulnerability-remediation-note"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.", "supportingMedia": [{"type": "text/html", "value": "<div><div>Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.</div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80: Improper Neutralization of Script Related HTML Tags in a Web Page"}]}], "providerMetadata": {"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "shortName": "Pega", "dateUpdated": "2026-04-15T21:31:19.982Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1564", "state": "PUBLISHED", "dateUpdated": "2026-04-16T14:16:54.925Z", "dateReserved": "2026-01-28T19:59:26.073Z", "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "datePublished": "2026-04-15T21:31:19.982Z", "assignerShortName": "Pega"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "69F8B2DB-793C-40B9-B883-89B01F6F058E", "versionEndIncluding": "25.1.1", "versionStartIncluding": "8.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role."}], "id": "CVE-2026-1564", "lastModified": "2026-04-23T20:02:20.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@pega.com", "type": "Secondary"}]}, "published": "2026-04-15T22:16:51.250", "references": [{"source": "security@pega.com", "tags": ["Vendor Advisory"], "url": "https://support.pega.com/support-doc/pega-security-advisory-b26-vulnerability-remediation-note"}], "sourceIdentifier": "security@pega.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "security@pega.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.1.0,25.1.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Pega Infinity", "source": "cna", "vendor": "Pegasystems"}, "product": "pega_infinity", "vendor": "pegasystems"}], "analysis": {"en": {"generated_at": "2026-04-16T09:05:22.105645+00:00", "value": {"mitigation_remediation": ["Apply the latest Pega Infinity patch or upgrade to a version that removes the HTML injection flaw as released by Pega.", "If a patch is not yet available, restrict the privileges of the developer role to only the necessary functionalities and disable any features that permit arbitrary HTML input for that role.", "Implement a strict Content Security Policy on the web application to block the execution of injected scripts and enable input validation or output encoding to mitigate any residual injection risk."], "summary": {"action": "Mitigate", "impact": "HTML Injection (Cross\u2011Site Scripting)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Pegasystems Pega Infinity product in any instance running a version between 8.1.0 and 25.1.1. Exploitation requires a developer role with high privileges; ordinary users or roles with lower privileges cannot trigger the injection.", "description_and_impact": "Pega Platform versions 8.1.0 through 25.1.1 contain an HTML injection flaw in a user interface component that does not properly encode or sanitize user\u2011supplied data. The flaw allows an attacker who holds a high\u2011privileged developer account to inject arbitrary HTML, including JavaScript, into the platform\u2019s web interface. If the injected content is rendered in a victim\u2019s browser, it can execute in the context of the application, potentially providing ways for the attacker to perform actions such as session hijacking or data theft\u2014these outcomes are typical for XSS but are not explicitly detailed in the advisory.", "risk_and_exploitability": "The CVSS score of 5.1 indicates medium severity. While no public exploits have been reported and the vulnerability is not listed in the CISA KEV catalog, the requirement for a high\u2011privileged developer account reduces the chance of exploitation outside of environments where such accounts exist. Once the privilege threshold is met, an attacker could exploit the injected HTML to compromise confidentiality or integrity of the user session. Because an EPSS score is unavailable, the specific exploitation probability cannot be quantified, but the combination of medium CVSS and privileged requirement suggests a moderate overall risk."}}}}, "created": "2026-04-15T23:00:10.229964+00:00", "updated": "2026-04-16T09:15:30.979660+00:00", "vendors": ["pegasystems", "pegasystems$PRODUCT$pega_infinity"]}