CVE-2026-24752

Kiteworks Secure Data Forms Vulnerable to Cross-site Scripting

CVSS 8.2 HIGHEPSS 0.3%CWE-79

In short

Kiteworks Secure Data Forms contains a reflected XSS vulnerability that allows attackers to trick users into executing malicious JavaScript code by sending specially crafted links. This could lead to theft of sensitive data or unauthorized actions on behalf of the user.

Technical detail

A reflected XSS vulnerability in Kiteworks Secure Data Forms (pre-9.3.0) allows external attackers to inject arbitrary JavaScript into user browsers via malicious URLs. The attack vector is social engineering (phishing/link manipulation), requiring user interaction to visit the crafted link; successful exploitation enables arbitrary script execution in the victim's session context with access to session data and form contents.

Summary generated and translated by AI from the official description.

Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Affected products

kiteworks · Secure Data Forms

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/kiteworks/security-advisories/security/advisories/GHSA-6798-vf3h-wcwr