Skip to main content

Kiteworks Secure Data Forms CVE-2026-24752

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-01 GitHub_M
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 22:52 vuln.today

DescriptionGitHub Advisory

Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

AnalysisAI

Reflected cross-site scripting in Kiteworks Secure Data Forms (versions prior to 9.3.0) allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser after the victim is lured into clicking a crafted link. The CVSS 8.2 score is elevated by a changed scope (S:C) and high confidentiality impact, reflecting potential session theft or pivoting against the Kiteworks Private Data Network; no public exploit identified at time of analysis and not present in CISA KEV.

Technical ContextAI

Kiteworks is a Private Data Network (PDN) platform used to govern sensitive file sharing, secure email, MFT, forms and workflows for regulated industries. The vulnerable component is Secure Data Forms, a feature for collecting structured data from external parties. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the reflected variant - user-controllable input is echoed back into a response page without adequate output encoding or contextual escaping, allowing injected script to run in the origin of the Kiteworks application. The CPE cpe:2.3:a:kiteworks:secure_data_forms:*:*:*:*:*:*:*:* confirms Secure Data Forms as the affected product family across all versions up to the fix.

RemediationAI

Vendor-released patch: upgrade Kiteworks to version 9.3.0 or later, per the vendor advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-6798-vf3h-wcwr, which is the primary and recommended fix. If immediate upgrade is not feasible, compensating controls include restricting external access to Secure Data Forms endpoints behind a WAF with reflected-XSS signatures tuned for the affected parameters (trade-off: WAFs frequently miss context-specific XSS payloads and may break legitimate form submissions containing rich text), temporarily disabling the Secure Data Forms feature in the Kiteworks admin console for tenants that do not require it (trade-off: blocks legitimate external data-collection workflows), and enforcing a strict Content-Security-Policy that disallows inline script and limits script-src to vendor origins (trade-off: may break Kiteworks UI components that rely on inline handlers and requires regression testing). User-awareness guidance to avoid clicking unsolicited Kiteworks form links should accompany technical controls but is not a substitute for the patch.

Share

CVE-2026-24752 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy