{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1079", "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "state": "PUBLISHED", "assignerShortName": "Pega", "dateReserved": "2026-01-16T20:29:58.229Z", "datePublished": "2026-04-07T15:17:47.205Z", "dateUpdated": "2026-04-07T20:06:55.833Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "shortName": "Pega", "dateUpdated": "2026-04-07T15:17:47.205Z"}, "title": "A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension.", "datePublic": "2026-04-07T20:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-121", "descriptions": [{"lang": "en", "value": "CAPEC-121: Exploit Process Communication"}]}], "affected": [{"vendor": "Pegasystems", "product": "Pega Browser Extension (PBE)", "versions": [{"status": "affected", "version": "0", "lessThan": "3.1.45", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could occur if a user navigates to this website. The malicious website could then present an unexpected message box.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><div>A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could occur if a user navigates to this website. The malicious website could then present an unexpected message box.</div></div>"}]}], "references": [{"url": "https://support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remediation-note"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L"}}], "credits": [{"lang": "en", "value": "Ramon Dunker from Achmea, Security Assessment Team", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T20:03:41.328986Z", "id": "CVE-2026-1079", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T20:06:55.833Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1079", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T20:03:41.328986Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T20:06:53.274Z"}}], "cna": {"title": "A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension.", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Ramon Dunker from Achmea, Security Assessment Team"}], "impacts": [{"capecId": "CAPEC-121", "descriptions": [{"lang": "en", "value": "CAPEC-121: Exploit Process Communication"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Pegasystems", "product": "Pega Browser Extension (PBE)", "versions": [{"status": "affected", "version": "0", "lessThan": "3.1.45", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2026-04-07T20:00:00.000Z", "references": [{"url": "https://support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remediation-note"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could occur if a user navigates to this website. The malicious website could then present an unexpected message box.", "supportingMedia": [{"type": "text/html", "value": "<div><div>A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could occur if a user navigates to this website. The malicious website could then present an unexpected message box.</div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "shortName": "Pega", "dateUpdated": "2026-04-07T15:17:47.205Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1079", "state": "PUBLISHED", "dateUpdated": "2026-04-07T20:06:55.833Z", "dateReserved": "2026-01-16T20:29:58.229Z", "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9", "datePublished": "2026-04-07T15:17:47.205Z", "assignerShortName": "Pega"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could occur if a user navigates to this website. The malicious website could then present an unexpected message box."}], "id": "CVE-2026-1079", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@pega.com", "type": "Secondary"}]}, "published": "2026-04-07T16:16:23.370", "references": [{"source": "security@pega.com", "url": "https://support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remediation-note"}], "sourceIdentifier": "security@pega.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@pega.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.1.45)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Pega Browser Extension (PBE)", "source": "cna", "vendor": "Pegasystems"}, "product": "pega_browser_extension_(pbe)", "vendor": "pegasystems"}], "analysis": {"en": {"generated_at": "2026-04-07T21:26:03.537588+00:00", "value": {"mitigation_remediation": ["Apply the latest update or patch for Pega Browser Extension as recommended by Pega\u2019s security advisory. If a patch is not yet available, disable the Pega Browser Extension or block users from loading the extension. Use browser security controls such as the block list or content\u2011security\u2011policy to prevent users from visiting or executing malicious web pages that target the extension. Monitor user activity for unexpected message boxes and educate users about the risks of visiting untrusted websites."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access via native messaging host"}, "threat_synthesis": {"affected_systems": "All users who have installed the Pega Browser Extension (PBE) as part of any version of Pega Robotic Automation are vulnerable. The vulnerability exists across every released version of the extension and therefore affects every Pega Robotic Automation deployment that utilizes PBE.", "description_and_impact": "The Pega Browser Extension contains a native messaging host flaw that can be triggered by a malicious website. When a user navigates to the compromised site the extension can display unexpected message boxes, potentially delivering unauthorized commands or data. The weakness is an improper access control issue, specifically CWE\u2011284, which may allow an attacker to send privileged messages to the extension or exploit its elevated permissions.", "risk_and_exploitability": "The CVSS score of 6.0 indicates a medium severity vulnerability while no EPSS score is currently published. The flaw can be exploited by hosting a malicious page that a user visits; no known public exploits exist, but the impact could range from deceptive message boxes to execution of privileged operations. Since the flaw is present in all versions and is not listed in the CISA KEV catalog, organisations should consider it a potential risk until a patch is applied."}}}}, "created": "2026-04-08T19:37:08.611638+00:00", "updated": "2026-04-08T19:48:22.079951+00:00", "vendors": ["pegasystems", "pegasystems$PRODUCT$pega_browser_extension_(pbe)"]}