Skip to main content

Kiteworks EUVDEUVD-2026-33749

| CVE-2026-24751 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-01 GitHub_M
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 01, 2026 - 22:02 EUVD
Analysis Generated
Jun 01, 2026 - 20:52 vuln.today

DescriptionGitHub Advisory

Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

AnalysisAI

Reflected cross-site scripting in Kiteworks Secure Data Forms prior to version 9.3.0 allows external attackers to execute arbitrary JavaScript in a victim's browser session by tricking them into clicking a crafted link. The flaw carries a CVSS 8.2 due to scope change (S:C) and high confidentiality impact, but exploitation requires user interaction. At time of analysis, no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

Kiteworks is a Private Data Network (PDN) platform used for governed file sharing, managed file transfer, and secure forms; the Secure Data Forms component (cpe:2.3:a:kiteworks:secure_data_forms) enables organizations to collect sensitive data via web forms. The vulnerability is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a reflected XSS where attacker-controlled input echoed back in the form's response page is not properly encoded, permitting injection of script content into the DOM rendered for the victim.

RemediationAI

Vendor-released patch: Kiteworks 9.3.0 - upgrade all Kiteworks PDN instances to 9.3.0 or later as referenced in the GitHub Security Advisory GHSA-xp8m-wmmp-f947 (https://github.com/kiteworks/security-advisories/security/advisories/GHSA-xp8m-wmmp-f947). Until the upgrade is deployed, restrict access to the Secure Data Forms endpoint via network ACLs or WAF rules that filter common reflected XSS payloads (script tags, on-event handlers, javascript: URIs) in query parameters reaching the forms component, accepting that custom-encoded payloads may bypass signature-based WAFs. Educate form recipients to avoid clicking unsolicited Kiteworks form links from external senders and consider enabling a strict Content-Security-Policy header on the Kiteworks instance if supported by the deployment, noting that CSP changes can break legitimate embedded scripts and should be tested in a staging environment first.

Share

EUVD-2026-33749 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy