CVE-2026-28272 - Vulnerability Details

- Kiteworks Email Protection Gateway has a Cross-site Scripting vulnerability

Description

Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administrators to inject malicious scripts through a configuration interface. The stored script executes when users interact with the affected user interface. Version 9.2.0 contains a patch for the issue.

Published: 2026-02-27

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Kiteworks Email Protection Gateway contains a stored cross‑site scripting flaw that permits authenticated administrators to embed malicious scripts via a configuration interface. When end users interact with the affected UI, the injected script executes within the user’s browser. The vulnerability is categorized as CWE‑79 and carries a CVSS score of 8.1, reflecting a high‑severity risk to confidentiality and integrity.

Affected Systems

The issue affects all Kiteworks Email Protection Gateway installations running any version earlier than 9.2.0. Administrators with valid credentials can use the configuration interface to inject scripts, while the risk extends to any user who interacts with the compromised UI. Upgrading to version 9.2.0 or later removes the vulnerability.

Risk and Exploitability

With a CVSS score of 8.1, the flaw represents significant potential impact, yet its EPSS score of less than 1 % indicates a currently low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been recorded. Based on the description, it is inferred that the attack vector requires an authenticated administrator session accessing the configuration interface, as the vulnerability exploits the application’s failure to sanitize input and a lack of protective content‑security policy.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

kiteworks

security-advisories

affected

Version	Status	Constraints
`< 9.2.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:accellion:kiteworks:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Kiteworks

Security-advisories

100%

Version	Status	Scheme	Platform
`[0,9.2.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Kiteworks 9.2.0 or newer to apply the vendor‑supplied patch
Deploy a strict Content Security Policy on the administration portal to block inline script execution
Revoke or rotate any unused administrative credentials and enforce least‑privilege access until the patch is in place

Generated by OpenCVE AI on April 18, 2026 at 10:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/kiteworks/security-advisories/security/advisories/GHSA-7hxj-ch78-xqgr

History

Wed, 04 Mar 2026 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Accellion Accellion kiteworks
CPEs		cpe:2.3:a:accellion:kiteworks::::::::
Vendors & Products		Accellion Accellion kiteworks

Tue, 03 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kiteworks Kiteworks security-advisories
Vendors & Products		Kiteworks Kiteworks security-advisories

Fri, 27 Feb 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administrators to inject malicious scripts through a configuration interface. The stored script executes when users interact with the affected user interface. Version 9.2.0 contains a patch for the issue.
Title		Kiteworks Email Protection Gateway has a Cross-site Scripting vulnerability
Weaknesses		CWE-79
References		https://github.com/kiteworks/security-advisories/security/advisories/GHSA-7hxj-ch78-xqgr
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N'}`

Subscriptions

Accellion Kiteworks

Kiteworks Security-advisories

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-27T20:22:59.656Z

Updated: 2026-03-03T20:27:59.264Z

Reserved: 2026-02-26T01:52:58.733Z

Link: CVE-2026-28272

Vulnrichment

Updated: 2026-03-03T20:27:56.376Z

NVD

Status : Analyzed

Published: 2026-02-27T21:16:18.703

Modified: 2026-03-04T19:48:26.303

Link: CVE-2026-28272

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T10:15:25Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object