Description
Kiteworks is a private data network (PDN). Prior to version 9.3.0,ultiple SQL Injection vulnerabilities in Kiteworks Secure Data Forms could be exploited by an authenticated attacker with the FormBuilder role to retrieve information on or modify other users' form definitions and some global configuration parameters. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
Published: 2026-06-01
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw in Kiteworks Secure Data Forms that allows an authenticated user with the FormBuilder role to craft queries that read or modify other users' form definitions and certain global configuration settings. Attackers can use this entry point to obtain sensitive data stored in the database or to change settings that affect the entire application, potentially impacting multiple users.

Affected Systems

The affected product is Kiteworks Secure Data Forms. Any installation of the software older than version 9.3.0 is vulnerable. Versions 9.3.0 and later include the remediation.

Risk and Exploitability

The CVSS score of 7.6 indicates high severity, while the EPSS score is not reported. The vulnerability is not currently listed in the CISA KEV catalog. Because it requires authentication with a privileged role, the attack vector is expected to be internal or from a compromised account; an attacker who has legitimate FormBuilder credentials can exploit the flaw without needing network-level access.

Generated by OpenCVE AI on June 1, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kiteworks Secure Data Forms to version 9.3.0 or later.
  • Restrict the FormBuilder role to trusted administrators and conduct a review of current role assignments.
  • Enable auditing and monitor logs for unusual form definition changes or configuration edits.

Generated by OpenCVE AI on June 1, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Accellion
Accellion kiteworks
CPEs cpe:2.3:a:accellion:kiteworks:*:*:*:*:*:*:*:*
Vendors & Products Accellion
Accellion kiteworks

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Kiteworks
Kiteworks secure Data Forms
Vendors & Products Kiteworks
Kiteworks secure Data Forms

Mon, 01 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Kiteworks is a private data network (PDN). Prior to version 9.3.0,ultiple SQL Injection vulnerabilities in Kiteworks Secure Data Forms could be exploited by an authenticated attacker with the FormBuilder role to retrieve information on or modify other users' form definitions and some global configuration parameters. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
Title Kiteworks Secure Data Forms has a SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

Accellion Kiteworks
Kiteworks Secure Data Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T12:30:33.683Z

Reserved: 2026-01-26T21:06:47.869Z

Link: CVE-2026-24782

cve-icon Vulnrichment

Updated: 2026-06-02T12:30:28.114Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T23:16:21.093

Modified: 2026-06-03T15:16:31.833

Link: CVE-2026-24782

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T00:00:13Z

Weaknesses