By vendor

Accellion vulnerabilities

Known CVEs affecting Accellion products, prioritized by severity, with SEC.co remediation and detection guidance.

9 published vulnerabilities

  • CVE-2026-24751HIGH 8.2

    Kiteworks, a platform used to securely share and manage sensitive business data, contains a reflected cross-site scripting (XSS) vulnerability in its Secure Data Forms feature. An attacker can craft a malicious link that, when clicked by a legitimate user, causes the victim's browser to execute arbitrary JavaScript code within the context of the Kiteworks application. This could allow the attacker to steal session cookies, impersonate the user, or perform unauthorized actions on their behalf. The vulnerability affects all versions of Kiteworks prior to 9.3.0.

  • CVE-2026-24752HIGH 8.2

    Kiteworks, a private data network platform, contains a reflected cross-site scripting (XSS) flaw in its Secure Data Forms component that could allow an attacker to inject malicious JavaScript. An attacker could craft a deceptive link and trick a user into clicking it, causing the user's browser to execute arbitrary code in the context of their Kiteworks session. This is a social engineering attack vector rather than a direct infrastructure compromise, but the impact can be severe if the victim has administrative or sensitive data access.

  • CVE-2026-24782HIGH 7.6

    Kiteworks, a platform designed to securely manage private data networks, contains multiple SQL injection flaws in its Secure Data Forms feature. Prior to version 9.3.0, an authenticated user with FormBuilder role permissions can exploit these vulnerabilities to access or alter form definitions belonging to other users and potentially modify some system-wide settings. This is a privilege escalation and data exposure risk that requires prompt patching.

  • CVE-2026-23638MEDIUM 6.5

    Kiteworks, a platform designed to secure and control data sharing across organizations, contains a flaw that allows authenticated users to modify form approval workflows that belong to other users. The vulnerability stems from inadequate checks on who actually owns or has permission to modify a particular form's configuration. An attacker with valid Kiteworks credentials could exploit this to alter how forms route for approval, potentially disrupting legitimate business processes or gaining unauthorized visibility into sensitive approvals.

  • CVE-2026-24753MEDIUM 6.5

    Kiteworks Secure Data Forms contained an authorization flaw that allowed authenticated users to modify data forms and resources belonging to other users. The vulnerability stems from insufficient checks verifying that a user actually owns or has permission to modify a resource before allowing the action. Any authenticated user could exploit this by directly referencing another user's resource identifiers and making changes. This is categorized as an Insecure Direct Object Reference (IDOR) vulnerability. The issue is resolved in Kiteworks version 9.3.0 and later.

  • CVE-2026-24754MEDIUM 5.4

    Kiteworks, a private data network platform used for secure file sharing and collaboration, contains a stored cross-site scripting (XSS) vulnerability in its Secure Data Forms feature. An authenticated user with legitimate access could craft malicious input that persists in the application and executes in other users' browsers when they view the affected form. This allows the attacker to steal session tokens, perform actions on behalf of victims, or harvest sensitive data passing through their sessions. The vulnerability requires prior authentication and user interaction (clicking a link or viewing a page), limiting but not eliminating its risk. Kiteworks versions before 9.3.0 are affected; upgrading resolves the issue.

  • CVE-2026-24755MEDIUM 5.4

    Kiteworks, a platform for secure data sharing and management, contains a flaw in its Secure Data Forms feature that allows logged-in users to change permissions on files and folders belonging to other users. The vulnerability stems from the system not properly verifying whether a user actually owns or has authority over a resource before allowing permission changes. An attacker with valid credentials could exploit this to gain access to, or revoke access from, other users' sensitive data without authorization.

  • CVE-2026-24756MEDIUM 4.3

    Kiteworks, a platform for secure data sharing and management, contains a flaw that allows authenticated users to modify data belonging to other users. The vulnerability stems from the application failing to properly verify that a user should have access to resources they're attempting to change. An attacker with valid credentials could exploit this to alter forms, templates, or other shared resources without authorization. The fix requires upgrading to version 9.3.0 or later.

  • CVE-2026-24761LOW 3.7

    CVE-2026-24761 is an authorization flaw in Kiteworks Secure Data Forms that allows authenticated users to view metadata belonging to other users. Because the system doesn't properly verify who owns a resource before allowing access, a legitimate user can craft requests to retrieve information about files and documents they shouldn't see. The vulnerability requires an attacker to already have valid credentials and involves a higher complexity of exploitation, which limits its risk profile. This affects Kiteworks versions before 9.3.0.