Description
Kiteworks is a private data network (PDN). Prior to version 9.3.0, a stored XSS vulnerability in Kiteworks Secure Data Forms could allow an authenticated attacker to execute arbitrary JavaScript code in other users' sessions. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
Published: 2026-06-01
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Kiteworks is vulnerable to a stored cross‑site scripting (XSS) flaw in its Secure Data Forms. An authenticated attacker can inject malicious JavaScript into a form that is then rendered and stored. When other users access the same form, the injected script runs in their browsers, potentially allowing session hijacking, credential theft, or other malicious actions.

Affected Systems

The flaw affects Kiteworks Secure Data Forms within the Kiteworks Private Data Network. Any deployment using versions prior to 9.3.0 is vulnerable and should be upgraded to mitigate the risk.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and no EPSS score is available, so the likelihood of exploitation is uncertain. The vulnerability is not listed in CISA's KEV catalog. Based on the description, the attack vector requires an authenticated user to submit malicious form data, after which other users who view the stored form could be affected.

Generated by OpenCVE AI on June 1, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading Kiteworks to version 9.3.0 or later
  • Enhance input handling by implementing strict validation or output encoding on Secure Data Forms to prevent script injection
  • Continuously monitor application logs for signs of successful script execution or unauthorized form submissions

Generated by OpenCVE AI on June 1, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Kiteworks
Kiteworks secure Data Forms
Vendors & Products Kiteworks
Kiteworks secure Data Forms

Mon, 01 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Kiteworks is a private data network (PDN). Prior to version 9.3.0, a stored XSS vulnerability in Kiteworks Secure Data Forms could allow an authenticated attacker to execute arbitrary JavaScript code in other users' sessions. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
Title Kiteworks Secure Data Forms Vulnerable to Cross-site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Kiteworks Secure Data Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T15:45:48.778Z

Reserved: 2026-01-26T19:06:16.060Z

Link: CVE-2026-24754

cve-icon Vulnrichment

Updated: 2026-06-02T15:09:16.501Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-01T23:16:20.540

Modified: 2026-06-02T13:55:46.237

Link: CVE-2026-24754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T00:00:13Z

Weaknesses