Kiteworks Secure Data Forms CVE-2026-24782
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
1DescriptionGitHub Advisory
Kiteworks is a private data network (PDN). Prior to version 9.3.0,ultiple SQL Injection vulnerabilities in Kiteworks Secure Data Forms could be exploited by an authenticated attacker with the FormBuilder role to retrieve information on or modify other users' form definitions and some global configuration parameters. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
AnalysisAI
SQL injection in Kiteworks Secure Data Forms before version 9.3.0 allows an authenticated attacker holding the FormBuilder role to read and tamper with other users' form definitions and certain global configuration parameters. The flaw affects the Kiteworks private data network platform, carries a CVSS 7.6 (high) severity rating, and no public exploit identified at time of analysis. Exploitation requires valid credentials with a specific role, narrowing the threat to insiders or attackers who have already obtained role-bearing accounts.
Technical ContextAI
Kiteworks is a private data network (PDN) used by enterprises for governed file sharing, secure forms, and managed file transfer; Secure Data Forms is the module that lets users design and publish data-collection forms. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controllable input handled by the FormBuilder feature is concatenated or insufficiently parameterized before reaching the underlying database query layer. Per the CPE cpe:2.3:a:kiteworks:secure_data_forms:*, the vulnerable component is the Secure Data Forms application across all versions prior to the fixed 9.3.0 release, and the flaw is described as multiple SQLi sinks rather than a single instance.
RemediationAI
Vendor-released patch: Kiteworks 9.3.0 - upgrade Kiteworks to 9.3.0 or later, per the vendor advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-849r-gm3r-4v5c. If immediate upgrade is not possible, restrict assignment of the FormBuilder role to a minimal set of trusted administrators (the vulnerability cannot be triggered without it), audit existing FormBuilder accounts for unexpected holders, and review form definitions and global configuration parameters for unauthorized modifications since this is an integrity-impacting flaw; note that revoking FormBuilder broadly will block legitimate form authoring workflows. Increase logging and monitoring around Secure Data Forms HTTP endpoints for anomalous query patterns until the patched build is deployed.
More in Secure Data Forms
View allReflected cross-site scripting in Kiteworks Secure Data Forms (versions prior to 9.3.0) allows remote unauthenticated at
Reflected cross-site scripting in Kiteworks Secure Data Forms prior to version 9.3.0 allows external attackers to execut
A stored cross-site scripting (XSS) vulnerability exists in Kiteworks Secure Data Forms that allows authenticated attack
Kiteworks Secure Data Forms prior to version 9.2.1 contains a misconfiguration of security attributes that allows unprot
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms allows authenticated low-privileged users to modi
Kiteworks Secure Data Forms contains an unrestricted file upload vulnerability (CWE-434) that allows form managers to up
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms exposes a permission-modification vector for any
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 allows any authenticated l
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 enables access to other us
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today