{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0898", "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "state": "PUBLISHED", "assignerShortName": "Pega", "dateReserved": "2026-01-13T17:31:36.351Z", "datePublished": "2026-03-23T18:41:52.837Z", "dateUpdated": "2026-03-24T14:37:30.588Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "shortName": "Pega", "dateUpdated": "2026-03-23T18:41:52.837Z"}, "title": "An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25.", "datePublic": "2026-03-23T20:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-121", "descriptions": [{"lang": "en", "value": "CAPEC-121: Exploit Process Communication"}]}], "affected": [{"vendor": "Pegasystems", "product": "Pega Robot Studio", "versions": [{"status": "affected", "version": "22.1"}, {"status": "affected", "version": "R25"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes malicious code. The vulnerability may be exploited if a Pega Robot Studio developer is deceived into visiting this website during interrogation mode in Robot Studio.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><div>An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes malicious code. The vulnerability may be exploited if a Pega Robot Studio developer is deceived into visiting this website during interrogation mode in Robot Studio.</div></div>"}]}], "references": [{"url": "https://support.pega.com/support-doc/pega-security-advisory-p25-vulnerability-remediation-note"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}}], "credits": [{"lang": "en", "value": "Ramon Dunker from Achmea, Security Assessment Team", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:37:24.108479Z", "id": "CVE-2026-0898", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:37:30.588Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0898", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T14:37:24.108479Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:37:27.253Z"}}], "cna": {"title": "An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25.", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Ramon Dunker from Achmea, Security Assessment Team"}], "impacts": [{"capecId": "CAPEC-121", "descriptions": [{"lang": "en", "value": "CAPEC-121: Exploit Process Communication"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Pegasystems", "product": "Pega Robot Studio", "versions": [{"status": "affected", "version": "22.1"}, {"status": "affected", "version": "R25"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-23T20:00:00.000Z", "references": [{"url": "https://support.pega.com/support-doc/pega-security-advisory-p25-vulnerability-remediation-note"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes malicious code. The vulnerability may be exploited if a Pega Robot Studio developer is deceived into visiting this website during interrogation mode in Robot Studio.", "supportingMedia": [{"type": "text/html", "value": "<div><div>An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes malicious code. The vulnerability may be exploited if a Pega Robot Studio developer is deceived into visiting this website during interrogation mode in Robot Studio.</div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "shortName": "Pega", "dateUpdated": "2026-03-23T18:41:52.837Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0898", "state": "PUBLISHED", "dateUpdated": "2026-03-24T14:37:30.588Z", "dateReserved": "2026-01-13T17:31:36.351Z", "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "datePublished": "2026-03-23T18:41:52.837Z", "assignerShortName": "Pega"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes malicious code. The vulnerability may be exploited if a Pega Robot Studio developer is deceived into visiting this website during interrogation mode in Robot Studio."}, {"lang": "es", "value": "Una vulnerabilidad de escritura de archivos arbitraria en la extensi\u00f3n de navegador Pega (PBE) afecta a los desarrolladores de Pega Robot Studio que est\u00e1n automatizando Google Chrome y Microsoft Edge utilizando la versi\u00f3n 22.1 o R25. Esta vulnerabilidad no afecta a los usuarios de Robot Runtime. Un actor malicioso podr\u00eda crear un sitio web que incluya c\u00f3digo malicioso. La vulnerabilidad podr\u00eda ser explotada si un desarrollador de Pega Robot Studio es enga\u00f1ado para visitar este sitio web durante el modo de interrogaci\u00f3n en Robot Studio."}], "id": "CVE-2026-0898", "lastModified": "2026-03-24T15:54:09.400", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@pega.com", "type": "Secondary"}]}, "published": "2026-03-23T19:16:39.040", "references": [{"source": "security@pega.com", "url": "https://support.pega.com/support-doc/pega-security-advisory-p25-vulnerability-remediation-note"}], "sourceIdentifier": "security@pega.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@pega.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "22.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "R25"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Pega Robot Studio", "source": "cna", "vendor": "Pegasystems"}, "product": "pega_robot_studio", "vendor": "pegasystems"}], "created": "2026-03-24T10:33:15.904313+00:00", "updated": "2026-03-24T10:33:15.904390+00:00", "vendors": ["pegasystems", "pegasystems$PRODUCT$pega_robot_studio"]}