CVE-2026-28272
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2Description
Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administrators to inject malicious scripts through a configuration interface. The stored script executes when users interact with the affected user interface. Version 9.2.0 contains a patch for the issue.
Analysis
Kiteworks Email Protection Gateway prior to version 9.2.0 contains a stored cross-site scripting vulnerability in its configuration interface that allows authenticated administrators to inject malicious scripts executed against other users. An admin with high privileges can exploit this to compromise user sessions and data through the affected UI. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Kiteworks instances and confirm versions; restrict administrative access to the configuration interface to essential personnel only and enable detailed audit logging. Within 7 days: Contact Kiteworks support for 9.2.0 upgrade timeline and interim patches; implement compensating controls (network segmentation, IP whitelisting for admin access). …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today