CVE-2019-16386
CVE-2019-16386 is a medium-severity vulnerability in Pega Pega Platform with a CVSS 3.x base score of 4.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-425.
Key facts
- Severity: Medium (CVSS 3.x base score 4.3)
- CVSS v2: 4.0
- EPSS exploit prediction: 1% (52nd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-425
- Affected product: Pega Pega Platform
- Published:
- Last modified:
Description
PEGA Platform 7.x and 8.x is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyActivity=GetWebInfo&target=popup&pzHarnessID=random_harness_id request to get database schema information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect
Frequently asked questions
- What is CVE-2019-16386?
- PEGA Platform 7.x and 8.x is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyActivity=GetWebInfo&target=popup&pzHarnessID=random_harness_id request to get database schema information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect
- How severe is CVE-2019-16386?
- CVE-2019-16386 has a CVSS 3.x base score of 4.3, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2019-16386 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (52nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2019-16386?
- CVE-2019-16386 affects Pega Pega Platform. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2019-16386?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2019-16386 published?
- CVE-2019-16386 was published on 2019-11-26 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*
More vulnerabilities in Pega Pega Platform
- CVE-2023-32090 — Critical (CVSS 9.8): Pega platform clients who are using versions 6.1 through 7.3.1 may be utilizing default credentials
- CVE-2020-15390 — Critical (CVSS 9.8): pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control…
- CVE-2020-8774 — High (CVSS 8.8): Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the…
- CVE-2025-2160 — High (CVSS 8.1): Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup
- CVE-2023-28094 — High (CVSS 8.1): Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be…
- CVE-2019-16387 — High (CVSS 8.1): PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_Li…
All CVEs affecting Pega Pega Platform →
Other CWE-425 vulnerabilities
- CVE-2025-26689 — Critical (CVSS 9.8): Direct request ('Forced Browsing') issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If a remote…
- CVE-2024-0204 — Critical (CVSS 9.8): Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via…
- CVE-2022-45276 — Critical (CVSS 9.8): An issue in the /index/user/user_edit.html component of YJCMS v1.0.9 allows unauthenticated attackers to obtain the…
- CVE-2022-26279 — Critical (CVSS 9.8): EyouCMS v1.5.5 was discovered to have no access control in the component /data/sqldata.
- CVE-2021-36560 — Critical (CVSS 9.8): Phone Shop Sales Managements System using PHP with Source Code 1.0 is vulnerable to authentication bypass which leads…
- CVE-2021-36745 — Critical (CVSS 9.8): A vulnerability in Trend Micro ServerProtect for Storage 6.0, ServerProtect for EMC Celerra 5.8, ServerProtect for…