Kiteworks
CVE-2026-28272
HIGH
Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administrators to inject malicious scripts through a configuration interface. The stored script executes when users interact with the affected user interface. Version 9.2.0 contains a patch for the issue.
AnalysisAI
Kiteworks Email Protection Gateway prior to version 9.2.0 contains a stored cross-site scripting vulnerability in its configuration interface that allows authenticated administrators to inject malicious scripts executed against other users. An admin with high privileges can exploit this to compromise user sessions and data through the affected UI. No patch is currently available for this vulnerability.
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Affects the a configuration component of Kiteworks. Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administrators to inject malicious scripts through a configuration interface. The stored script executes when users interact with the affected user interface. Version 9.2.0 contains a patch for the issue.
RemediationAI
Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
Accellion Kiteworks before 7.4.0 allows an authenticated user to perform SQL Injection via LDAPGroup Search. Rated high
Accellion Kiteworks before 7.3.1 allows a user with Admin privileges to escalate their privileges by generating SSH pass
Kiteworks versions prior to 9.2.0 contain a DNS rebinding vulnerability that allows authenticated administrators to circ
Kiteworks is a private data network (PDN). Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable,
Kiteworks versions prior to 9.2.0 suffer from a command injection vulnerability that permits authenticated users to redi
Kiteworks versions prior to 9.2.0 lack proper file validation in their configuration upload functionality, allowing auth
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today