Kiteworks
CVE-2026-28270
MEDIUM
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks configuration allows uploading of arbitrary files without proper validation. Malicious administrators could exploit this to upload unauthorized file types to the system. Version 9.2.0 contains a patch for the issue.
AnalysisAI
Kiteworks versions prior to 9.2.0 lack proper file validation in their configuration upload functionality, allowing authenticated administrators to upload arbitrary files to the system. An attacker with administrative privileges could exploit this to introduce malicious or unauthorized file types, potentially compromising system integrity. A patch is available in version 9.2.0 and later.
Technical ContextAI
Classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). Affects Kiteworks. Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks configuration allows uploading of arbitrary files without proper validation. Malicious administrators could exploit this to upload unauthorized file types to the system. Version 9.2.0 contains a patch for the issue.
RemediationAI
Monitor vendor advisories for a patch. Validate file types by content. Store uploads outside web root. Restrict network access to the affected service where possible.
Accellion Kiteworks before 7.4.0 allows an authenticated user to perform SQL Injection via LDAPGroup Search. Rated high
Kiteworks Email Protection Gateway prior to version 9.2.0 contains a stored cross-site scripting vulnerability in its co
Accellion Kiteworks before 7.3.1 allows a user with Admin privileges to escalate their privileges by generating SSH pass
Kiteworks versions prior to 9.2.0 contain a DNS rebinding vulnerability that allows authenticated administrators to circ
Kiteworks is a private data network (PDN). Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable,
Kiteworks versions prior to 9.2.0 suffer from a command injection vulnerability that permits authenticated users to redi
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today