Kiteworks
CVE-2026-28269
MEDIUM
Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Kiteworks is a private data network (PDN). Prior to version 9.2.0, avulnerability in Kiteworks command execution functionality allows authenticated users to redirect command output to arbitrary file locations. This could be exploited to overwrite critical system files and gain elevated access. Version 9.2.0 contains a patch.
AnalysisAI
Kiteworks versions prior to 9.2.0 suffer from a command injection vulnerability that permits authenticated users to redirect command output to arbitrary file locations, potentially enabling overwriting of critical system files and privilege escalation. The vulnerability requires high privileges and manual user interaction to exploit, resulting in a medium severity rating with limited real-world exploitation likelihood (EPSS 0.1%). No patch is currently available for affected installations.
Technical ContextAI
Classified as CWE-78 (OS Command Injection). Affects the Kiteworks command execution component of Kiteworks. Kiteworks is a private data network (PDN). Prior to version 9.2.0, avulnerability in Kiteworks command execution functionality allows authenticated users to redirect command output to arbitrary file locations. This could be exploited to overwrite critical system files and gain elevated access. Version 9.2.0 contains a patch.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Accellion Kiteworks before 7.4.0 allows an authenticated user to perform SQL Injection via LDAPGroup Search. Rated high
Kiteworks Email Protection Gateway prior to version 9.2.0 contains a stored cross-site scripting vulnerability in its co
Accellion Kiteworks before 7.3.1 allows a user with Admin privileges to escalate their privileges by generating SSH pass
Kiteworks versions prior to 9.2.0 contain a DNS rebinding vulnerability that allows authenticated administrators to circ
Kiteworks is a private data network (PDN). Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable,
Kiteworks versions prior to 9.2.0 lack proper file validation in their configuration upload functionality, allowing auth
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today