Skip to main content

Kiteworks CVE-2026-28272

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-02-27 security-advisories@github.com
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 27, 2026 - 21:16 nvd
HIGH 8.1

DescriptionGitHub Advisory

Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administrators to inject malicious scripts through a configuration interface. The stored script executes when users interact with the affected user interface. Version 9.2.0 contains a patch for the issue.

AnalysisAI

Kiteworks Email Protection Gateway prior to version 9.2.0 contains a stored cross-site scripting vulnerability in its configuration interface that allows authenticated administrators to inject malicious scripts executed against other users. An admin with high privileges can exploit this to compromise user sessions and data through the affected UI. No patch is currently available for this vulnerability.

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects the a configuration component of Kiteworks. Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administrators to inject malicious scripts through a configuration interface. The stored script executes when users interact with the affected user interface. Version 9.2.0 contains a patch for the issue.

RemediationAI

Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

Share

CVE-2026-28272 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy