Description
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain
Published: 2026-02-27
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (RCE)
Action: Immediate Patch
AI Analysis

Impact

The CleverTap Web SDK (version 1.15.2 and earlier) contains a Cross‑Site Scripting weakness. The SDK’s event handler handleCustomHtmlPreviewPostMessageEvent performs origin validation by using the includes() method, which is insufficient. An attacker can craft a message from a subdomain of the trusted origin and evade the check, causing arbitrary JavaScript to execute in the visitor’s browser. This flaw can lead to disclosure of sensitive information, session hijacking, or manipulation of the page, effectively granting the attacker remote code execution in the victim’s context.

Affected Systems

CleverTap Web SDK is the product affected. The library version range 1.15.2 and earlier is vulnerable. All deployments that rely on the advertised SDK without upgrading beyond these versions are exposed.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity. The EPSS score is below 1 %, implying that exploitation is unlikely but possible. The flaw is not listed in CISA’s KEV catalog. Attackers can exploit the vulnerability remotely by sending a crafted postMessage from a subdomain, bypassing the includes‑based origin check. Successful exploitation would provide the attacker with the same privileges as the page’s JavaScript context, potentially allowing full control of the user session.

Generated by OpenCVE AI on April 16, 2026 at 15:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CleverTap Web SDK to the latest available version that contains the origin‑validation fix.
  • Replace the existing origin check in handleCustomHtmlPreviewPostMessageEvent with strict equality against the expected origin, rejecting any subdomains or unexpected origins.
  • Sanitize or escape any HTML content provided to the SDK before rendering, and consider disabling or removing the postMessage handler if it is not required.

Generated by OpenCVE AI on April 16, 2026 at 15:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j5mf-6rh3-rhgg CleverTap Web SDK is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function
History

Thu, 16 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via Improper Origin Validation in CleverTap Web SDK

Tue, 03 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Clevertap clevertap Web Sdk
CPEs cpe:2.3:a:clevertap:clevertap_web_sdk:*:*:*:*:*:*:*:*
Vendors & Products Clevertap clevertap Web Sdk

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Clevertap
Clevertap web Sdk
Vendors & Products Clevertap
Clevertap web Sdk

Fri, 27 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain
References

Subscriptions

Clevertap Clevertap Web Sdk Web Sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-02-27T19:42:58.097Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26861

cve-icon Vulnrichment

Updated: 2026-02-27T19:41:16.290Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T18:16:12.043

Modified: 2026-03-03T18:46:02.547

Link: CVE-2026-26861

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:00:13Z

Weaknesses