MEDIUM 5.4

CVE-2026-24754: Kiteworks Stored XSS in Secure Data Forms – Patch to v9.3.0

Kiteworks, a private data network platform used for secure file sharing and collaboration, contains a stored cross-site scripting (XSS) vulnerability in its Secure Data Forms feature. An authenticated user with legitimate access could craft malicious input that persists in the application and executes in other users' browsers when they view the affected form. This allows the attacker to steal session tokens, perform actions on behalf of victims, or harvest sensitive data passing through their sessions. The vulnerability requires prior authentication and user interaction (clicking a link or viewing a page), limiting but not eliminating its risk. Kiteworks versions before 9.3.0 are affected; upgrading resolves the issue.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Kiteworks is a private data network (PDN). Prior to version 9.3.0, a stored XSS vulnerability in Kiteworks Secure Data Forms could allow an authenticated attacker to execute arbitrary JavaScript code in other users' sessions. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-24754 is a stored XSS vulnerability (CWE-79) in Kiteworks Secure Data Forms. The flaw allows an authenticated attacker to inject malicious JavaScript that persists server-side and executes in victim users' browser contexts with the same origin privileges. The attack vector is network-based with low attack complexity; it requires valid credentials (PR:L) and user interaction (UI:R) such as navigating to a malicious form or link. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component—specifically, other authenticated sessions. The impact is limited to confidentiality and integrity of the user's session (C:L, I:L), with no availability impact (A:N). CVSS v3.1 base score is 5.4 (MEDIUM severity).

Business impact

Stored XSS in a data-sharing platform poses significant operational and compliance risk. Attackers can hijack user sessions to access, exfiltrate, or modify sensitive documents and data in transit through Kiteworks. In regulated industries (healthcare, finance, legal), unauthorized data access or modification can trigger breach notification obligations and regulatory fines. The attack may also be used for lateral movement, credential theft, or to plant backdoors within the platform. Since Kiteworks is often a central hub for confidential information exchange, a successful attack could expose multiple parties' documents simultaneously. Remediation is straightforward but requires coordination across deployed instances.

Affected systems

Kiteworks (by Accellion) versions prior to 9.3.0 are vulnerable. The issue resides in the Secure Data Forms component, so any deployment using that feature is at risk. Organizations running Kiteworks in on-premises, private cloud, or SaaS environments with version numbers below 9.3.0 should prioritize assessment and patching.

Exploitability

Exploitation requires valid Kiteworks authentication credentials, reducing the attack surface to insider threats or accounts compromised through phishing or credential theft. The attacker must craft a malicious form and either social-engineer victims into viewing it or place it where target users will encounter it during normal workflow. User interaction is necessary (e.g., clicking a link, viewing the form), so purely automated attacks are not possible. However, within a typical organization, legitimate-looking forms are routine, and users may not scrutinize them closely. The ease of injecting JavaScript into form fields likely makes exploitation straightforward once an attacker has credentials. Kiteworks is not currently listed in CISA's KEV catalog, indicating no confirmed active exploitation in the wild, though that does not rule out private exploitation.

Remediation

Upgrade Kiteworks to version 9.3.0 or later. This version includes input validation and output encoding fixes that prevent malicious JavaScript from persisting in Secure Data Forms. Organizations should verify the patch version in vendor release notes before deployment. After patching, consider additional hardening: review access controls to limit who can create or modify forms, monitor form submissions and user activity for anomalies, and consider deploying a Web Application Firewall (WAF) with XSS detection rules as a defense-in-depth measure.

Patch guidance

Obtain Kiteworks version 9.3.0 or later from Accellion. Before deploying to production, test the upgrade in a staging environment to confirm compatibility with your existing configurations, integrations, and custom forms. Schedule patching during a maintenance window to allow for validation and rollback if needed. Communicate the maintenance window to end users in advance, as they will experience brief service interruption. After upgrade, verify that Secure Data Forms continue to function correctly and that any custom forms or workflows are unaffected. Document the patched version in your asset inventory and change management system.

Detection guidance

Monitor Kiteworks access logs for unusual form creation or modification activities by low-privilege users. Search for anomalous JavaScript syntax or HTML entities (e.g., <script>, onerror=, onclick=) in form field submissions, particularly in fields that accept rich text or custom input. Track user sessions for unexpected lateral movement or data access patterns following form interaction. If you suspect exploitation, audit the form repository for forms containing encoded or obfuscated JavaScript payloads. Correlation with browser-based telemetry (if available) or endpoint detection tools may reveal JavaScript execution anomalies on user workstations. Review Kiteworks audit logs for evidence of session hijacking or unusual API calls originating from compromised sessions.

Why prioritize this

Although CVSS score is MEDIUM (5.4), this vulnerability warrants timely remediation because: (1) Kiteworks is typically deployed as a centralized data hub, making a single compromise high-impact; (2) stored XSS in a collaboration platform creates persistent risk across all users who interact with poisoned forms; (3) the barrier to exploitation is low for insiders or attackers with stolen credentials; (4) regulated industries using Kiteworks may face compliance violations if data is exfiltrated; (5) the patch is readily available and straightforward to deploy. Prioritize patching for production Kiteworks instances within 30 days, sooner if the platform handles highly sensitive data (PII, PHI, trade secrets).

Risk score, explained

The CVSS v3.1 score of 5.4 (MEDIUM) reflects the requirement for authentication (PR:L) and user interaction (UI:R), which limit the pool of attackers and scenarios. However, the 'changed scope' (S:C) indicates the vulnerability can affect other users' sessions and resources, elevating risk beyond a single-user impact. Confidentiality and integrity impacts (C:L, I:L) are moderate, as the attacker can access and modify session-specific data but does not achieve full system compromise or denial of service. In the context of a shared data platform where form-based workflows are routine, the real-world risk may exceed the base score, especially if threat actors actively target the supply-chain or collaboration partners. Organizations should consider supplementary risk factors: data sensitivity, user count, insider threat profile, and compliance requirements.

Frequently asked questions

Do we need to patch immediately, or can we wait for the next maintenance window?

While CVSS score is MEDIUM, Kiteworks' role as a central data hub means even a single compromised user session could expose sensitive multi-party data. If your deployment handles regulated data (PII, PHI, trade secrets) or high-value information, patch within 30 days. If Kiteworks contains lower-risk data and you have strong compensating controls (e.g., WAF, strong authentication, session monitoring), you may defer to the next planned maintenance window, provided it occurs within 60 days.

What is the difference between this vulnerability and a typical reflected XSS?

Stored XSS is more dangerous because the malicious payload persists server-side in the database. Every time any user views the affected form, the JavaScript executes in their browser—attackers do not need to trick victims into clicking a specific link. Reflected XSS, by contrast, requires the attacker to include the payload in a URL and social-engineer users to click it. Stored XSS is a 'fire and forget' attack with wider reach.

Can a non-authenticated user exploit this?

No. The vulnerability requires valid Kiteworks credentials. Exploitation is limited to insider threats, compromised employee accounts, or attackers who have obtained credentials through phishing or credential reuse. This is why access controls and user training remain critical preventive measures.

What should we do if we suspect our Kiteworks instance has been exploited?

Immediately isolate affected user accounts and force password resets. Audit the form repository and recent submissions for malicious payloads. Review user session activity and access logs for unauthorized data access or lateral movement. Consider engaging incident response resources to perform forensic analysis. If regulated data may have been accessed, initiate breach notification procedures and inform legal/compliance teams.

This analysis is based on the CVE record published 2026-06-01 and modified 2026-06-17. Patch version information reflects the vendor advisory; verify against official Accellion/Kiteworks release notes before deployment. This page provides general guidance; organizations should conduct their own risk assessment based on their deployment architecture, data classification, and threat model. SEC.co makes no warranty regarding the completeness or accuracy of vulnerability intelligence and recommends consulting vendor advisories and security mailing lists for the latest information. This content is for informational purposes only and does not constitute legal, compliance, or professional security advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).