Description
Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
Published: 2026-06-01
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected XSS flaw in Kiteworks Secure Data Forms that existed before version 9.3.0. An external actor could provide a crafted link or form that, when a user interacts with it, causes arbitrary JavaScript to run in the user’s browser session. This could allow the attacker to exfiltrate session credentials, alter the displayed content, or perform actions on behalf of the user, thereby compromising both the confidentiality and integrity of data within the private data network.

Affected Systems

The affected product is Kiteworks Secure Data Forms. Deployments running any version older than 9.3.0 are impacted; upgrading to version 9.3.0 or later eliminates the flaw.

Risk and Exploitability

The CVSS score of 8.2 signals a high severity risk. No EPSS value is available, but reflected XSS remains a common and effective attack vector. The vulnerability is not listed in the CISA KEV catalog, so no large‑scale exploitation has been reported yet; however, the exploit requires user interaction, implying that the risk remains for users who may click malicious links or submit tampered forms. The likely attack vector is an attacker‑controlled URL or form presented to a user of the affected deployment.

Generated by OpenCVE AI on June 1, 2026 at 23:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kiteworks to version 9.3.0 or later to apply the patch that removes the reflected XSS flaw.
  • Immediately rotate session tokens and ensure users log out after applying the patch to eliminate any session exposure that might have been acquired prior to the update.
  • Deploy web application firewall rules to block or sanitize inputs containing script tags on the Secure Data Forms endpoints as an interim defense if an upgrade cannot be performed immediately.

Generated by OpenCVE AI on June 1, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Accellion
Accellion kiteworks
CPEs cpe:2.3:a:accellion:kiteworks:*:*:*:*:*:*:*:*
Vendors & Products Accellion
Accellion kiteworks

Tue, 02 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Kiteworks
Kiteworks secure Data Forms
Vendors & Products Kiteworks
Kiteworks secure Data Forms

Mon, 01 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
Title Kiteworks Secure Data Forms Vulnerable to Cross-site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

Accellion Kiteworks
Kiteworks Secure Data Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T14:09:43.167Z

Reserved: 2026-01-26T19:06:16.060Z

Link: CVE-2026-24752

cve-icon Vulnrichment

Updated: 2026-06-02T14:09:30.319Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T23:16:20.213

Modified: 2026-06-03T15:29:15.907

Link: CVE-2026-24752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T23:45:40Z

Weaknesses