Kiteworks Secure Data Forms CVE-2026-24752
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionGitHub Advisory
Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
AnalysisAI
Reflected cross-site scripting in Kiteworks Secure Data Forms (versions prior to 9.3.0) allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser after the victim is lured into clicking a crafted link. The CVSS 8.2 score is elevated by a changed scope (S:C) and high confidentiality impact, reflecting potential session theft or pivoting against the Kiteworks Private Data Network; no public exploit identified at time of analysis and not present in CISA KEV.
Technical ContextAI
Kiteworks is a Private Data Network (PDN) platform used to govern sensitive file sharing, secure email, MFT, forms and workflows for regulated industries. The vulnerable component is Secure Data Forms, a feature for collecting structured data from external parties. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the reflected variant - user-controllable input is echoed back into a response page without adequate output encoding or contextual escaping, allowing injected script to run in the origin of the Kiteworks application. The CPE cpe:2.3:a:kiteworks:secure_data_forms:*:*:*:*:*:*:*:* confirms Secure Data Forms as the affected product family across all versions up to the fix.
RemediationAI
Vendor-released patch: upgrade Kiteworks to version 9.3.0 or later, per the vendor advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-6798-vf3h-wcwr, which is the primary and recommended fix. If immediate upgrade is not feasible, compensating controls include restricting external access to Secure Data Forms endpoints behind a WAF with reflected-XSS signatures tuned for the affected parameters (trade-off: WAFs frequently miss context-specific XSS payloads and may break legitimate form submissions containing rich text), temporarily disabling the Secure Data Forms feature in the Kiteworks admin console for tenants that do not require it (trade-off: blocks legitimate external data-collection workflows), and enforcing a strict Content-Security-Policy that disallows inline script and limits script-src to vendor origins (trade-off: may break Kiteworks UI components that rely on inline handlers and requires regression testing). User-awareness guidance to avoid clicking unsolicited Kiteworks form links should accompany technical controls but is not a substitute for the patch.
More in Secure Data Forms
View allReflected cross-site scripting in Kiteworks Secure Data Forms prior to version 9.3.0 allows external attackers to execut
A stored cross-site scripting (XSS) vulnerability exists in Kiteworks Secure Data Forms that allows authenticated attack
SQL injection in Kiteworks Secure Data Forms before version 9.3.0 allows an authenticated attacker holding the FormBuild
Kiteworks Secure Data Forms prior to version 9.2.1 contains a misconfiguration of security attributes that allows unprot
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms allows authenticated low-privileged users to modi
Kiteworks Secure Data Forms contains an unrestricted file upload vulnerability (CWE-434) that allows form managers to up
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms exposes a permission-modification vector for any
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 allows any authenticated l
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 enables access to other us
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today