What is the CVSS score of CVE-2026-26862?

CVE-2026-26862 has a CVSS 3.1 base score of 8.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of Clevertap Web Sdk are affected by CVE-2026-26862?

CleverTap Web SDK versions 1.15.2 and earlier contain a high-severity cross-site scripting vulnerability that could allow attackers to execute malicious code in users' browsers and compromise…. A patch is available.

Is there a public PoC exploit available for CVE-2026-26862?

Yes, a public proof-of-concept exploit is available for CVE-2026-26862. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-26862?

Within 24 hours: Inventory all CleverTap Web SDK deployments and identify instances running version 1.15.2 or earlier. Within 7 days: Apply the available vendor patch to all affected instances and validate deployment in staging environments. Within 30 days: Conduct security testing to confirm the vulnerability has been eliminated and document patch deployment across all environments.

Clevertap Web Sdk CVE-2026-26862

HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-02-27 cve@mitre.org

GHSA-jfrq-hj9f-c8qx

XSS Clevertap Web Sdk

8.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.3 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 03, 2026 - 18:44 vuln.today

Public exploit code

Patch released

Mar 03, 2026 - 18:44 nvd

Patch available

CVE Published

Feb 27, 2026 - 18:16 nvd

HIGH 8.3

DescriptionCVE.org

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain

AnalysisAI

CleverTap Web SDK versions 1.15.2 and earlier contain a DOM-based XSS vulnerability in the Visual Builder module due to improper origin validation of postMessage events, allowing attackers to inject malicious scripts through crafted subdomains. Public exploit code exists for this vulnerability, which affects all users of the affected SDK versions. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious subdomain containing 'dashboard.clevertap.com'

Delivery

Host XSS payload on attacker domain

Exploit

Trick user to visit page

Execution

Bypass origin validation via includes()

Impact

Execute JavaScript in victim context