HIGH 8.2

CVE-2026-24752: Kiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)

Kiteworks, a private data network platform, contains a reflected cross-site scripting (XSS) flaw in its Secure Data Forms component that could allow an attacker to inject malicious JavaScript. An attacker could craft a deceptive link and trick a user into clicking it, causing the user's browser to execute arbitrary code in the context of their Kiteworks session. This is a social engineering attack vector rather than a direct infrastructure compromise, but the impact can be severe if the victim has administrative or sensitive data access.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-24752 is a reflected XSS vulnerability (CWE-79) in Kiteworks Secure Data Forms prior to version 9.3.0. The vulnerability allows an unauthenticated attacker to inject unsanitized user input into the application's response, which the victim's browser then executes as trusted JavaScript. The CVSS 3.1 score of 8.2 reflects high confidentiality impact, low integrity impact, and changed scope—meaning an attacker can access sensitive data and potentially modify limited information, with consequences extending beyond the vulnerable component. The network-accessible vector and lack of authentication requirements make exploitation straightforward from a technical standpoint.

Business impact

Successful exploitation could result in unauthorized access to sensitive documents and data stored within the Kiteworks platform. An attacker impersonating a trusted sender could capture session tokens, modify user settings, or exfiltrate confidential files depending on the victim's role and permissions. For organizations using Kiteworks as their primary secure file transfer and collaboration platform, a compromised administrative account or a phishing campaign targeting data custodians could enable large-scale data theft. Reputational damage and potential regulatory violations (HIPAA, GDPR, etc.) may follow if personal or regulated data is exposed.

Affected systems

Kiteworks versions prior to 9.3.0 are vulnerable. Organizations running any Kiteworks deployment in the 9.2.x series and earlier should assume they are at risk. The vulnerability is specific to the Secure Data Forms feature; not all Kiteworks functionality is necessarily equally exposed, but the form submission workflow is typically a high-traffic user interaction point. No other vendors or products are affected by this CVE.

Exploitability

This vulnerability is exploitable but requires social engineering. An attacker must craft a malicious URL containing the XSS payload and convince a user to click it—often via phishing email, instant message, or watering-hole attack. The lack of authentication requirements and network accessibility (AV:N) make the attack surface broad, but the user interaction requirement (UI:R) prevents fully automated exploitation. Since many users are trained to avoid suspicious links, real-world impact depends on attacker sophistication and targeting. The vulnerability is not known to be actively exploited in the wild or included in the CISA KEV list.

Remediation

Upgrade Kiteworks to version 9.3.0 or later to receive the patch. This is a single-version fix; no interim workarounds or configuration changes are documented as substitutes. Organizations unable to upgrade immediately should implement compensating controls: restrict access to Kiteworks forms to authenticated users only, enforce strict Content Security Policy (CSP) headers if configurable, and deploy email filtering and user awareness training to reduce phishing success rates.

Patch guidance

Apply the upgrade to Kiteworks 9.3.0 as soon as practicable. Verify the patch version in the Kiteworks console (typically Admin > System > Version) or consult the Accellion Kiteworks release notes. Test the upgrade in a non-production environment first to ensure compatibility with any custom integrations or forms. Schedule the production upgrade during a maintenance window to minimize user disruption, and plan for a brief service restart. After patching, confirm that Secure Data Forms are functional and that no form data or user sessions were corrupted during the upgrade.

Detection guidance

Monitor web application firewall (WAF) logs and Kiteworks application logs for requests to form endpoints containing suspicious query parameters or encoded JavaScript payloads (look for script tags, event handlers, or base64-encoded content). Search for patterns like `<script>`, `javascript:`, `onerror=`, `onclick=`, or URL encoding of these strings. Check authentication logs for unusual account activity or session tokens issued from unexpected IP addresses shortly after a suspected phishing campaign. If you suspect a user clicked a malicious link, review their recent API calls, data access logs, and any configuration or user management changes they may have initiated. Conduct a browser history review on the affected user's machine if forensics are warranted.

Why prioritize this

Although this vulnerability requires user interaction and is not currently being exploited at scale, a CVSS score of 8.2 reflects significant potential harm. Reflected XSS in a data collaboration platform is particularly dangerous because users are accustomed to clicking links and opening documents from Kiteworks—attackers can exploit that trust. The confidentiality impact is high, and the changed scope means cross-site implications are possible. Organizations with sensitive compliance postures (healthcare, finance, legal) or high-profile threat profiles should prioritize patching within 1–2 weeks. All organizations should plan to patch within 30 days.

Risk score, explained

The CVSS 3.1 score of 8.2 (HIGH) reflects: (1) Network accessibility with no authentication, enabling easy attacker reach; (2) High confidentiality impact—an attacker can read session tokens and access to user-accessible data; (3) Low integrity impact—the attacker's ability to modify data is limited but present; (4) Changed scope—the XSS payload can potentially affect other users or cross-domain contexts. The user interaction requirement prevents a perfect 10, and the lack of system availability impact (no denial of service) caps the score below critical. The rating appropriately conveys a serious threat that requires urgent but non-emergency action.

Frequently asked questions

Can an attacker exploit this vulnerability without tricking a user into clicking a link?

No. This is a reflected XSS vulnerability, which means the malicious payload is not stored on the server—it is only executed if a user clicks a crafted link or submits a specially formatted request. An attacker cannot trigger the vulnerability through passive observation or by merely visiting the Kiteworks platform. Social engineering is a necessary precondition.

Does the patch require any configuration changes or migration of existing forms?

No. Version 9.3.0 is a direct upgrade that patches the vulnerability in place. Existing Secure Data Forms, user roles, and data are preserved. However, you should always test upgrades in a staging environment first to confirm compatibility with any custom scripts or API integrations you may have deployed.

If we restrict Kiteworks access to our internal network only, does that mitigate the vulnerability?

Partially. Network segmentation would prevent external attackers from delivering the phishing email, but it does not mitigate insider threats or compromised internal devices. Additionally, many organizations allow remote workers or partner access to Kiteworks, which could still be targeted. Patching remains the definitive solution; network controls are useful supplementary measures.

Is there a way to detect if a user has already been compromised through this vulnerability?

Check Kiteworks authentication logs for any unusual or unauthorized user activity following a suspected phishing campaign—look for changes to form settings, unexpected data downloads, or account modifications. Query your email gateway logs for reports of the phishing email. If feasible, review the affected user's browser history and session tokens. If a compromise is suspected, reset the user's password, revoke active sessions, and review their access history for data exfiltration. A forensic review by your incident response team may be warranted for high-risk users.

This analysis is based on information published as of June 17, 2026, and CVE-2026-24752 data from authoritative sources. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor advisories or patch deployment timelines. Organizations should verify patch availability and compatibility with their specific Kiteworks deployment before applying any update. This is not a substitute for professional security assessment or incident response consultation. Always test patches in a non-production environment first. If you suspect active exploitation, contact your security operations team or a qualified incident response provider immediately. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).