CVE-2026-28272
Kiteworks Email Protection Gateway has a Cross-site Scripting vulnerability
In short
Kiteworks Email Protection Gateway allows logged-in administrators to inject malicious scripts that execute when other users access certain pages. This can steal user data or perform actions on their behalf.
Technical detail
Stored XSS vulnerability in Kiteworks Email Protection Gateway's configuration interface requiring authenticated admin privileges. Malicious JavaScript persists in the application and executes in victims' browsers during UI interaction, potentially leading to session hijacking, credential theft, or unauthorized actions within the gateway. Affects versions prior to 9.2.0.
Summary generated and translated by AI from the official description.
Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administrators to inject malicious scripts through a configuration interface. The stored script executes when users interact with the affected user interface. Version 9.2.0 contains a patch for the issue.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Affected products
kiteworks · security-advisoriesWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →