Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
AnalysisAI
Reflected cross-site scripting in Kiteworks Secure Data Forms prior to version 9.3.0 allows external attackers to execute arbitrary JavaScript in a victim's browser session by tricking them into clicking a crafted link. The flaw carries a CVSS 8.2 due to scope change (S:C) and high confidentiality impact, but exploitation requires user interaction. At time of analysis, no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
Kiteworks is a Private Data Network (PDN) platform used for governed file sharing, managed file transfer, and secure forms; the Secure Data Forms component (cpe:2.3:a:kiteworks:secure_data_forms) enables organizations to collect sensitive data via web forms. The vulnerability is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a reflected XSS where attacker-controlled input echoed back in the form's response page is not properly encoded, permitting injection of script content into the DOM rendered for the victim.
RemediationAI
Vendor-released patch: Kiteworks 9.3.0 - upgrade all Kiteworks PDN instances to 9.3.0 or later as referenced in the GitHub Security Advisory GHSA-xp8m-wmmp-f947 (https://github.com/kiteworks/security-advisories/security/advisories/GHSA-xp8m-wmmp-f947). Until the upgrade is deployed, restrict access to the Secure Data Forms endpoint via network ACLs or WAF rules that filter common reflected XSS payloads (script tags, on-event handlers, javascript: URIs) in query parameters reaching the forms component, accepting that custom-encoded payloads may bypass signature-based WAFs. Educate form recipients to avoid clicking unsolicited Kiteworks form links from external senders and consider enabling a strict Content-Security-Policy header on the Kiteworks instance if supported by the deployment, noting that CSP changes can break legitimate embedded scripts and should be tested in a staging environment first.
More in Secure Data Forms
View allReflected cross-site scripting in Kiteworks Secure Data Forms (versions prior to 9.3.0) allows remote unauthenticated at
A stored cross-site scripting (XSS) vulnerability exists in Kiteworks Secure Data Forms that allows authenticated attack
SQL injection in Kiteworks Secure Data Forms before version 9.3.0 allows an authenticated attacker holding the FormBuild
Kiteworks Secure Data Forms prior to version 9.2.1 contains a misconfiguration of security attributes that allows unprot
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms allows authenticated low-privileged users to modi
Kiteworks Secure Data Forms contains an unrestricted file upload vulnerability (CWE-434) that allows form managers to up
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms exposes a permission-modification vector for any
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 allows any authenticated l
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 enables access to other us
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33749