Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Lifecycle Timeline
6DescriptionGitHub Advisory
Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, an authenticated attacker could exploit an Improper Neutralization of Input During Web Page Generation as Stored XSS when modifying forms. Upgrade Kiteworks to version 9.2.1 or later to receive a patch.
AnalysisAI
A stored cross-site scripting (XSS) vulnerability exists in Kiteworks Secure Data Forms that allows authenticated attackers to inject malicious scripts when modifying forms. Kiteworks Secure Data Forms versions prior to 9.2.1 are affected, enabling attackers with low-level privileges to execute arbitrary JavaScript in victims' browsers. There is no indication this vulnerability is actively exploited (not in CISA KEV), and no public proof-of-concept has been identified in available intelligence.
Technical ContextAI
Kiteworks is a private content network platform designed for secure file sharing and collaboration. The vulnerability, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), exists in the Secure Data Forms component. The affected product is identified by CPE cpe:2.3:a:kiteworks:secure_data_forms:*:*:*:*:*:*:*:*. The root cause is insufficient input validation and output encoding when processing user-supplied data during form modification operations, allowing malicious JavaScript to be stored in the application database and later executed in the context of other users' browser sessions. This is a classic stored XSS vulnerability where the malicious payload persists in the application rather than being reflected immediately.
RemediationAI
Upgrade Kiteworks Secure Data Forms to version 9.2.1 or later immediately to receive the patch that addresses this stored XSS vulnerability. The vendor security advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-rfwm-2hq6-h84g provides official upgrade guidance and release notes. Until patching is completed, organizations should implement compensating controls including restricting form modification privileges to only highly trusted users, implementing Content Security Policy (CSP) headers to mitigate XSS execution, enabling aggressive input validation at network perimeter devices, and monitoring form modification activities for suspicious patterns. Review existing forms for potentially malicious content introduced prior to patching.
More in Secure Data Forms
View allReflected cross-site scripting in Kiteworks Secure Data Forms (versions prior to 9.3.0) allows remote unauthenticated at
Reflected cross-site scripting in Kiteworks Secure Data Forms prior to version 9.3.0 allows external attackers to execut
SQL injection in Kiteworks Secure Data Forms before version 9.3.0 allows an authenticated attacker holding the FormBuild
Kiteworks Secure Data Forms prior to version 9.2.1 contains a misconfiguration of security attributes that allows unprot
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms allows authenticated low-privileged users to modi
Kiteworks Secure Data Forms contains an unrestricted file upload vulnerability (CWE-434) that allows form managers to up
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms exposes a permission-modification vector for any
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 allows any authenticated l
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 enables access to other us
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15455