Skip to main content

Security Advisories

1 CVEs product

Monthly

CVE-2026-24754 MEDIUM This Month

Stored cross-site scripting in Kiteworks Secure Data Forms allows authenticated low-privileged attackers to inject persistent malicious JavaScript that executes in other users' browser sessions. All Kiteworks releases prior to version 9.3.0 are affected, and the changed-scope CVSS modifier (S:C) confirms that injected scripts execute beyond the attacker's own session boundary, enabling session hijacking, credential theft, or unauthorized actions on behalf of victim users. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.

XSS Security Advisories
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in Kiteworks Secure Data Forms allows authenticated low-privileged attackers to inject persistent malicious JavaScript that executes in other users' browser sessions. All Kiteworks releases prior to version 9.3.0 are affected, and the changed-scope CVSS modifier (S:C) confirms that injected scripts execute beyond the attacker's own session boundary, enabling session hijacking, credential theft, or unauthorized actions on behalf of victim users. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.

XSS Security Advisories
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy