Description
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain
Published: 2026-02-27
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: DOM-based XSS
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in CleverTap Web SDK allows an attacker to inject malicious scripts into the DOM through the window.postMessage API. The Visual Builder module performs origin validation by checking if the origin URL contains the string "dashboard.clevertap.com" using the includes() method. An attacker can craft a subdomain that contains this string, bypassing the validation and delivering arbitrary JavaScript code to pages that load the SDK. This leads to the execution of attacker‑controlled code in the victim’s browser, compromising all data and functionality accessed by that user.

Affected Systems

CleverTap Web SDK versions 1.15.2 and earlier are affected. The vulnerability resides in the src/modules/visualBuilder/pageBuilder.js component of the SDK. Any web application that incorporates the SDK and uses the Visual Builder module shares this risk.

Risk and Exploitability

The CVSS score of 8.3 indicates a high severity impact. The EPSS score is reported as less than 1%, suggesting that, at present, the likelihood of exploitation is low, yet an attacker with the ability to register or control a subdomain can still bypass the origin check. The vulnerability is not listed in the CISA KEV catalog, meaning no known active exploits are documented. The attack vector is remote, requiring the attacker to host a malicious page that sends a postMessage to the SDK with a crafted origin that passes the lenient includes() check.

Generated by OpenCVE AI on April 16, 2026 at 15:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CleverTap Web SDK to the latest version that contains the fixed pageBuilder.js, which validates the origin correctly.
  • If an upgrade is not immediately possible, modify the origin check to compare the full origin string exactly against "https://dashboard.clevertap.com", removing the substring includes() approach.
  • Disabling the Visual Builder module or removing the postMessage handler until a patched SDK is deployed will prevent the XSS vector from being exercised.

Generated by OpenCVE AI on April 16, 2026 at 15:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jfrq-hj9f-c8qx CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage
History

Thu, 16 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Title DOM‑based Cross‑Site Scripting via Window.postMessage in CleverTap Web SDK Visual Builder

Tue, 03 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Clevertap clevertap Web Sdk
CPEs cpe:2.3:a:clevertap:clevertap_web_sdk:*:*:*:*:*:*:*:*
Vendors & Products Clevertap clevertap Web Sdk

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Clevertap
Clevertap web Sdk
Vendors & Products Clevertap
Clevertap web Sdk

Fri, 27 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
CWE-829
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain
References

Subscriptions

Clevertap Clevertap Web Sdk Web Sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-02-27T19:39:16.900Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26862

cve-icon Vulnrichment

Updated: 2026-02-27T19:37:17.397Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T18:16:12.163

Modified: 2026-03-03T18:44:20.997

Link: CVE-2026-26862

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-829

    Inclusion of Functionality from Untrusted Control Sphere