CVE-2026-28272 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting Kiteworks Email Protection Gateway versions earlier than 9.2.0. The flaw arises due to improper neutralization of input during web page generation within a configuration interface accessible to authenticated administrators. Specifically, these administrators can inject malicious JavaScript code that is persistently stored and later executed in the browsers of users who interact with the compromised interface. The vulnerability impacts the confidentiality and integrity of user sessions by enabling script execution in the security context of legitimate users, potentially leading to session hijacking, credential theft, or unauthorized actions. The CVSS v3.1 score is 8.1, reflecting high severity, with an attack vector of network (remote), low attack complexity, requiring high privileges (administrator), and user interaction. The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable module. No known exploits have been reported in the wild as of the publication date. The vendor has addressed the issue in Kiteworks version 9.2.0 by implementing proper input validation and output encoding to neutralize malicious scripts. This vulnerability is particularly critical in environments where multiple users access the management interface, as it can facilitate lateral movement or privilege escalation through social engineering or session compromise.

The vulnerability poses significant risks to organizations using Kiteworks Email Protection Gateway versions prior to 9.2.0. Successful exploitation can lead to unauthorized disclosure of sensitive information, including user credentials and session tokens, compromising confidentiality. Integrity is at risk as attackers may execute unauthorized actions on behalf of legitimate users. Although availability is not directly impacted, the breach of trust and potential for further exploitation can disrupt normal operations. The requirement for administrator privileges limits the attack surface but also means that insider threats or compromised administrator accounts can be leveraged. Organizations handling sensitive communications or regulated data are particularly vulnerable to compliance violations and reputational damage. The persistent nature of stored XSS increases the likelihood of widespread impact within affected user populations. Given the network attack vector and low complexity, attackers with access to administrator accounts can exploit this vulnerability remotely, emphasizing the need for timely patching.

Organizations should immediately upgrade Kiteworks Email Protection Gateway to version 9.2.0 or later, where the vulnerability is patched. Until the update can be applied, restrict administrator access to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of account compromise. Conduct regular audits of administrator accounts and monitor for unusual configuration changes or script injections. Implement web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting the management interface. Educate administrators about the risks of injecting untrusted input and encourage safe configuration practices. Additionally, review and harden user interface components to ensure proper input validation and output encoding are consistently applied. Incident response plans should include procedures for detecting and mitigating XSS attacks, including session invalidation and credential resets if compromise is suspected.