Description
Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
Published: 2026-06-01
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A reflected XSS flaw exists in Kiteworks Secure Data Forms versions before 9.3.0, allowing an attacker to persuade a user to execute arbitrary JavaScript when a crafted URL or form is accessed. This type of attack can lead to hijacking of the victim’s session, theft of sensitive information, or further command execution within the application context.

Affected Systems

The vulnerability affects the Kiteworks Secure Data Forms component of the Kiteworks private data network. Systems running any version earlier than 9.3.0 are potentially exposed.

Risk and Exploitability

The CVSS score is 8.2, indicating a high‑severity issue. No EPSS value is provided and the vulnerability is not listed in the CISA KEV catalog, suggesting moderate awareness among exploiters. The likely attack vector is reflected XSS, which requires the victim to interact with a maliciously crafted link or form, making the attack user‑dependent but easy to execute once a careless user clicks the payload.

Generated by OpenCVE AI on June 1, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kiteworks to version 9.3.0 or later to receive the vendor‑supplied patch.
  • Conduct sanity tests against your existing forms using standard XSS payloads to confirm the patch removes the vulnerability.
  • Implement a content security policy or a web application firewall rule that blocks inline script execution and restricts script sources to trusted domains.

Generated by OpenCVE AI on June 1, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Accellion
Accellion kiteworks
CPEs cpe:2.3:a:accellion:kiteworks:*:*:*:*:*:*:*:*
Vendors & Products Accellion
Accellion kiteworks

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Kiteworks
Kiteworks secure Data Forms
Vendors & Products Kiteworks
Kiteworks secure Data Forms

Mon, 01 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
Title Kiteworks Secure Data Forms Vulnerable to Cross-site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

Accellion Kiteworks
Kiteworks Secure Data Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T12:19:54.680Z

Reserved: 2026-01-26T19:06:16.060Z

Link: CVE-2026-24751

cve-icon Vulnrichment

Updated: 2026-06-02T12:19:43.651Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T21:16:26.950

Modified: 2026-06-03T15:29:40.383

Link: CVE-2026-24751

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T21:30:26Z

Weaknesses