CVE-2026-24750 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 that affects Kiteworks Secure Data Forms prior to version 9.2.1. The vulnerability arises from improper neutralization of input during web page generation, allowing an authenticated attacker to inject malicious scripts into forms by modifying them. When other users view the compromised forms, the injected scripts execute in their browsers within the security context of the Kiteworks application. This can lead to theft of sensitive information such as session cookies, credentials, or other confidential data, as well as unauthorized actions performed on behalf of users. The vulnerability has a CVSS 3.1 base score of 7.6, reflecting high impact on confidentiality and integrity, low attack complexity, and the requirement for attacker privileges and user interaction. Although no known exploits are currently reported in the wild, the presence of this vulnerability in a widely used private data network platform makes it a significant risk. Kiteworks has addressed this issue in version 9.2.1, urging users to upgrade to mitigate the threat. The vulnerability highlights the critical importance of proper input validation and output encoding in web applications, especially those handling sensitive data.

The impact of CVE-2026-24750 is substantial for organizations using Kiteworks Secure Data Forms. Exploitation can lead to unauthorized disclosure of sensitive information, including user credentials and session tokens, compromising confidentiality. Integrity is also at risk as attackers can manipulate form data or perform unauthorized actions on behalf of legitimate users. Availability impact is low but may occur if injected scripts disrupt normal application functionality. Since the vulnerability requires authentication and user interaction, the attack surface is somewhat limited but still significant in environments with many users and frequent form interactions. Organizations handling sensitive or regulated data face increased risk of data breaches, compliance violations, and reputational damage. The vulnerability could also be leveraged as a foothold for further attacks within private data networks, amplifying its potential harm.

To mitigate CVE-2026-24750, organizations should immediately upgrade Kiteworks Secure Data Forms to version 9.2.1 or later, where the vulnerability is patched. Beyond upgrading, implement strict input validation and output encoding on all user-supplied data within forms to prevent script injection. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. Conduct regular security assessments and code reviews focusing on input handling and sanitization. Educate users about the risks of interacting with suspicious forms and encourage reporting of anomalies. Monitor application logs for unusual form modification activities that could indicate attempted exploitation. Finally, consider implementing multi-factor authentication (MFA) to reduce the risk posed by compromised credentials.