CVE-2026-24754: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in kiteworks security-advisories
CVE-2026-24754 is a stored cross-site scripting (XSS) vulnerability in Kiteworks Secure Data Forms affecting versions prior to 9. 3. 0. An authenticated attacker could exploit this flaw to execute arbitrary JavaScript code in other users' sessions. This vulnerability has a medium severity rating with a CVSS score of 5. 4. The issue is resolved by upgrading Kiteworks to version 9. 3. 0 or later, which includes a patch for this vulnerability.
AI Analysis
Technical Summary
Kiteworks Secure Data Forms versions before 9.3.0 contain a stored XSS vulnerability (CWE-79) that allows an authenticated attacker to inject malicious JavaScript code, which is then executed in the context of other users' sessions. This improper neutralization of input during web page generation can lead to limited confidentiality and integrity impacts. The vulnerability has a CVSS 3.1 base score of 5.4, reflecting network attack vector, low attack complexity, required privileges, user interaction, and partial impact on confidentiality and integrity. The vendor has released version 9.3.0 to address this issue.
Potential Impact
Successful exploitation allows an authenticated attacker to execute arbitrary JavaScript in other users' sessions, potentially leading to partial disclosure or modification of information accessible to those users. There is no impact on availability. The vulnerability affects confidentiality and integrity to a limited extent.
Mitigation Recommendations
Upgrade Kiteworks to version 9.3.0 or later to apply the official patch that fixes this stored XSS vulnerability. No other mitigation details are provided. Patch status is confirmed by the vendor's versioning recommendation.
CVE-2026-24754: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in kiteworks security-advisories
Description
CVE-2026-24754 is a stored cross-site scripting (XSS) vulnerability in Kiteworks Secure Data Forms affecting versions prior to 9. 3. 0. An authenticated attacker could exploit this flaw to execute arbitrary JavaScript code in other users' sessions. This vulnerability has a medium severity rating with a CVSS score of 5. 4. The issue is resolved by upgrading Kiteworks to version 9. 3. 0 or later, which includes a patch for this vulnerability.
CVSS v3.1
Score 5.4medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Kiteworks Secure Data Forms versions before 9.3.0 contain a stored XSS vulnerability (CWE-79) that allows an authenticated attacker to inject malicious JavaScript code, which is then executed in the context of other users' sessions. This improper neutralization of input during web page generation can lead to limited confidentiality and integrity impacts. The vulnerability has a CVSS 3.1 base score of 5.4, reflecting network attack vector, low attack complexity, required privileges, user interaction, and partial impact on confidentiality and integrity. The vendor has released version 9.3.0 to address this issue.
Potential Impact
Successful exploitation allows an authenticated attacker to execute arbitrary JavaScript in other users' sessions, potentially leading to partial disclosure or modification of information accessible to those users. There is no impact on availability. The vulnerability affects confidentiality and integrity to a limited extent.
Mitigation Recommendations
Upgrade Kiteworks to version 9.3.0 or later to apply the official patch that fixes this stored XSS vulnerability. No other mitigation details are provided. Patch status is confirmed by the vendor's versioning recommendation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-26T19:06:16.060Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1e08c8e29bf47b5051e313
Added to database: 6/1/2026, 10:33:44 PM
Last enriched: 6/1/2026, 10:49:25 PM
Last updated: 6/2/2026, 5:05:40 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.