Skip to main content

Kiteworks Secure Data Forms CVE-2026-24782

HIGH
SQL Injection (CWE-89)
2026-06-01 GitHub_M
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 22:52 vuln.today

DescriptionGitHub Advisory

Kiteworks is a private data network (PDN). Prior to version 9.3.0,ultiple SQL Injection vulnerabilities in Kiteworks Secure Data Forms could be exploited by an authenticated attacker with the FormBuilder role to retrieve information on or modify other users' form definitions and some global configuration parameters. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

AnalysisAI

SQL injection in Kiteworks Secure Data Forms before version 9.3.0 allows an authenticated attacker holding the FormBuilder role to read and tamper with other users' form definitions and certain global configuration parameters. The flaw affects the Kiteworks private data network platform, carries a CVSS 7.6 (high) severity rating, and no public exploit identified at time of analysis. Exploitation requires valid credentials with a specific role, narrowing the threat to insiders or attackers who have already obtained role-bearing accounts.

Technical ContextAI

Kiteworks is a private data network (PDN) used by enterprises for governed file sharing, secure forms, and managed file transfer; Secure Data Forms is the module that lets users design and publish data-collection forms. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controllable input handled by the FormBuilder feature is concatenated or insufficiently parameterized before reaching the underlying database query layer. Per the CPE cpe:2.3:a:kiteworks:secure_data_forms:*, the vulnerable component is the Secure Data Forms application across all versions prior to the fixed 9.3.0 release, and the flaw is described as multiple SQLi sinks rather than a single instance.

RemediationAI

Vendor-released patch: Kiteworks 9.3.0 - upgrade Kiteworks to 9.3.0 or later, per the vendor advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-849r-gm3r-4v5c. If immediate upgrade is not possible, restrict assignment of the FormBuilder role to a minimal set of trusted administrators (the vulnerability cannot be triggered without it), audit existing FormBuilder accounts for unexpected holders, and review form definitions and global configuration parameters for unauthorized modifications since this is an integrity-impacting flaw; note that revoking FormBuilder broadly will block legitimate form authoring workflows. Increase logging and monitoring around Secure Data Forms HTTP endpoints for anomalous query patterns until the patched build is deployed.

Share

CVE-2026-24782 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy