HIGH 8.2

CVE-2026-24751: Kiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)

Kiteworks, a platform used to securely share and manage sensitive business data, contains a reflected cross-site scripting (XSS) vulnerability in its Secure Data Forms feature. An attacker can craft a malicious link that, when clicked by a legitimate user, causes the victim's browser to execute arbitrary JavaScript code within the context of the Kiteworks application. This could allow the attacker to steal session cookies, impersonate the user, or perform unauthorized actions on their behalf. The vulnerability affects all versions of Kiteworks prior to 9.3.0.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This is a reflected XSS vulnerability (CWE-79) in Kiteworks Secure Data Forms where unsanitized user input is echoed back into the HTTP response without proper encoding. The vulnerability requires user interaction (clicking a malicious link) and does not require authentication. The attack crosses security boundaries (S:C), allowing the attacker to access data from other origins or sessions in the same browser context. With a CVSS 3.1 score of 8.2 (HIGH), the vulnerability carries significant confidentiality impact due to the ability to access sensitive form data, though integrity and availability impacts are lower.

Business impact

Organizations using Kiteworks for regulated data exchange—common in healthcare, financial services, and legal sectors—face elevated risk of data exposure. A successful attack could compromise sensitive client information, intellectual property, or compliance-regulated data transiting through the platform. Beyond immediate data loss, organizations may face regulatory fines, notification requirements, breach investigation costs, and reputational damage if customer or partner data is exfiltrated through a compromised session. The impact is particularly acute for multi-tenant deployments where one user's compromise could potentially affect shared data environments.

Affected systems

All Kiteworks installations running versions prior to 9.3.0 are affected. This includes any organization that has not yet upgraded to the patched release. The vulnerability is not version-specific to a narrow range; rather, any pre-9.3.0 deployment carries the risk.

Exploitability

This vulnerability is relatively straightforward to exploit from an attacker's perspective. It requires no authentication, no special network position, and can be delivered remotely via email, messaging, or embedded in a webpage. The barrier to exploitation is low: crafting a malicious URL is trivial. However, successful exploitation requires that a user click the link while authenticated to Kiteworks. This social engineering component—tricking a user into clicking—is the primary constraint. In targeted attacks against specific organizations, this barrier is often overcome.

Remediation

Upgrade Kiteworks to version 9.3.0 or later. This is the definitive remediation. Organizations should prioritize this update given the HIGH severity rating and the ease with which the vulnerability can be exploited in social engineering scenarios.

Patch guidance

Contact your Kiteworks vendor (Accellion) or your account team to obtain version 9.3.0 or later. Verify patch availability through the official Accellion advisory or release notes. Plan the upgrade at a time that minimizes disruption to data sharing workflows. Test the upgrade in a non-production environment first to ensure compatibility with your custom integrations or workflows. After patching, no further configuration changes are required to mitigate this specific vulnerability.

Detection guidance

Monitor web application firewall (WAF) logs for unusual or repeated attempts to access Kiteworks Secure Data Forms URLs with suspicious query parameters or encoded payloads. Look for requests containing script tags, event handlers (onload, onerror, onclick), or other JavaScript injection patterns in form parameters. Check Kiteworks access logs for sessions with unusual behavior following clicks on unfamiliar links—for example, bulk downloads or configuration changes shortly after a user's session begins. If you have the capability, inspect browser console logs or security event logs on user machines for unexpected JavaScript execution. Consider implementing Content Security Policy (CSP) headers in Kiteworks to restrict script execution to trusted sources as a temporary supplementary control.

Why prioritize this

This vulnerability merits immediate attention. The CVSS 8.2 score reflects HIGH severity, and while KEV/CISA tracking is not yet active, the combination of high exploitability, broad applicability (affects all pre-9.3.0 versions), and significant confidentiality impact on regulated data makes this a top-tier priority. Organizations handling sensitive data through Kiteworks should treat patching as urgent.

Risk score, explained

The CVSS 8.2 score reflects: (1) Network-accessible attack vector with no special access required; (2) Low attack complexity—no special conditions must be present to exploit; (3) No privileges required to launch the attack; (4) User interaction required, which reduces the score slightly but is easily satisfied through social engineering; (5) Scope changed, enabling cross-boundary attacks; (6) High confidentiality impact due to potential theft of sensitive form data and session information; (7) Low integrity and no availability impact. The overall score appropriately captures a serious vulnerability that demands prompt remediation but is not an immediate threat if users are security-aware and users have not been targeted by active exploitation.

Frequently asked questions

Can this vulnerability be exploited without user interaction?

No. The vulnerability requires a user to click on a malicious link. However, this is a relatively low barrier in targeted phishing or social engineering campaigns, and users in high-security roles may still be tricked.

Does patching to 9.3.0 require downtime?

Downtime requirements depend on your deployment architecture and Kiteworks configuration. Consult the official Accellion upgrade guide and test in a staging environment. Many organizations plan patches during maintenance windows to minimize user impact.

Are there interim mitigations if we cannot patch immediately?

While patching is the definitive fix, you can implement supplementary controls: deploy a WAF with XSS detection rules, educate users about suspicious links in emails claiming to be from Kiteworks, monitor access logs for anomalous behavior, and consider restricting Kiteworks access by IP or VPN until patched.

What data is at risk if an attacker successfully exploits this?

An attacker could steal session cookies, perform actions as the compromised user, access any data the user has permission to view or download, and potentially escalate access if the user holds administrative roles. The exact scope depends on what data the victim normally accesses within Kiteworks.

This analysis is based on publicly available vulnerability data current as of the publication date. Security conditions, patch availability, and exploitation status may change. Organizations should verify patch release dates and compatibility with their specific Kiteworks version against the official Accellion advisory. This document does not constitute professional security advice; consult your security team or a qualified vendor before making remediation decisions. No exploit code or weaponized proof-of-concept steps are provided. Always test patches in a non-production environment before deploying to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).