Cross-Site Scripting Vulnerability in Pega Platform by Pega
CVE-2025-2161

7.1HIGH

Key Information:

Vendor: Pegasystems
Status: Pega Infinity
Vendor: CVE Published:; 14 April 2025

🔔 Create Pegasystems Vulnerability Alert

What is CVE-2025-2161?

The Pega Platform is exposed to a Cross-Site Scripting (XSS) vulnerability affecting versions from 7.2.1 up to Infinity 24.2.1. This issue arises within the Mashup component, potentially allowing an attacker to inject malicious scripts into web pages viewed by users. Successful exploitation might facilitate a range of attacks, including session hijacking. It is crucial for users of the affected versions to apply the necessary security patches as outlined in the vendor's advisory to mitigate potential risks.

Affected Version(s)

Pega Infinity 7.2.1 < 24.2.2

References

https://support.pega.com/support-doc/pega-security-adviso...

vendor-advisory

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2025
Vulnerability Reserved
Mar 10, 2025

Credit

Kacper Paluch

Maciej Włodarczyk

CVE-2025-2161 Data

JSON