Skip to main content

Kiteworks CVE-2026-24754

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-01 GitHub_M
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 22:58 vuln.today

DescriptionGitHub Advisory

Kiteworks is a private data network (PDN). Prior to version 9.3.0, a stored XSS vulnerability in Kiteworks Secure Data Forms could allow an authenticated attacker to execute arbitrary JavaScript code in other users' sessions. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

AnalysisAI

Stored cross-site scripting in Kiteworks Secure Data Forms allows authenticated low-privileged attackers to inject persistent malicious JavaScript that executes in other users' browser sessions. All Kiteworks releases prior to version 9.3.0 are affected, and the changed-scope CVSS modifier (S:C) confirms that injected scripts execute beyond the attacker's own session boundary, enabling session hijacking, credential theft, or unauthorized actions on behalf of victim users. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.

Technical ContextAI

Kiteworks is an enterprise private data network (PDN) platform designed for secure file sharing and collaboration. The vulnerability resides in the Secure Data Forms feature, where user-controlled input is insufficiently sanitized before being stored server-side and later rendered in other authenticated users' browser sessions - a textbook CWE-79 (Improper Neutralization of Input During Web Page Generation) stored XSS pattern, as distinct from reflected or DOM-based variants. The CVSS scope modifier S:C is significant here: it indicates the injected script executes in a security context beyond the attacker's own authenticated session, impacting the confidentiality and integrity of other users' sessions. The CPE identifier provided (cpe:2.3:a:kiteworks:security-advisories:*:*:*:*:*:*:*:*) references the vendor's GitHub security advisory repository rather than a versioned product CPE, so version-range enumeration relies on the advisory text rather than NVD CPE data directly.

RemediationAI

Upgrade Kiteworks to version 9.3.0 or later, which is the vendor-released patch confirmed by the advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-gxvv-hwgc-w7gh. If immediate upgrade is not operationally feasible, compensating controls include restricting write access to Secure Data Forms to the minimum necessary user roles, which reduces the pool of potential attackers but does not eliminate the vulnerability for authorized form contributors. Deploying or tightening Content Security Policy (CSP) headers at the web application or reverse proxy layer can constrain JavaScript execution scope and limit impact, though this depends on your deployment architecture and may require testing for functionality regressions. WAF-based XSS filtering should not be relied upon as a primary control for stored XSS, as payloads are written and read in separate requests, making them harder to intercept reliably. Patching to 9.3.0 remains the only confirmed remediation.

Share

CVE-2026-24754 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy