How is CVE-2026-24751 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the Kiteworks service via standard HTTP/S to deliver a malicious payload. Authentication (not-required): No account or credentials are needed; the attacker crafts a malicious URL and delivers it to a target without authenticating to the application. Victim interaction (required): The victim must follow a crafted link or otherwise trigger the reflected payload in their browser, making this a social-engineering-dependent attack. Attack complexity (info): Attack complexity is low, meaning no special conditions, race windows, or environmental prerequisites are required for the exploit to succeed reliably.

What is the impact of CVE-2026-24751?

The attacker executes arbitrary JavaScript inside the victim's authenticated browser session, giving access to session cookies and stored tokens. Sensitive data visible to the victim in the Kiteworks interface, including file metadata and form contents, can be read and exfiltrated. The attacker can perform actions within the application on the victim's behalf, such as submitting forms or initiating file transfers. Integrity impact is limited but present: attacker-controlled script can modify page content displayed to the victim in real time.

Back to search

HIGHCVE-2026-24751Published 2026-06-01Modified 2026-06-02CNA GitHub_M

CVE-2026-24751: Kiteworks Secure Data Forms Vulnerable to Cross-site Scripting

Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A reflected cross-site scripting (XSS) vulnerability affects Kiteworks Secure Data Forms in versions prior to 9.3.0. The flaw is reachable over the network without any authentication, but requires a victim to follow a crafted link or otherwise interact with attacker-controlled input in their browser. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser session, enabling session hijacking, credential theft, or malicious actions performed on the victim's behalf. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-24751 is available across every HarborGuard environment - the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Kiteworks Secure Data Forms components.

Available

Triage

Triage is available at CVSS 8.2 (HIGH), with per-environment compliance policy weighting applied so the finding routes to the appropriate team inbox inside each customer organization.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Kiteworks ships a remediated release. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads automatically once that upstream fix appears.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the Kiteworks service via standard HTTP/S to deliver a malicious payload.
AuthenticationNot required
No account or credentials are needed; the attacker crafts a malicious URL and delivers it to a target without authenticating to the application.
Victim interactionRequired
The victim must follow a crafted link or otherwise trigger the reflected payload in their browser, making this a social-engineering-dependent attack.
Attack complexityDetail
Attack complexity is low, meaning no special conditions, race windows, or environmental prerequisites are required for the exploit to succeed reliably.

Blast Radius

The attacker executes arbitrary JavaScript inside the victim's authenticated browser session, giving access to session cookies and stored tokens.
Sensitive data visible to the victim in the Kiteworks interface, including file metadata and form contents, can be read and exfiltrated.
The attacker can perform actions within the application on the victim's behalf, such as submitting forms or initiating file transfers.
Integrity impact is limited but present: attacker-controlled script can modify page content displayed to the victim in real time.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged HIGH (CVSS 8.2) and is actively tracked against all customer images that include Kiteworks Secure Data Forms components below version 9.3.0. Because no upstream patch has been published yet, the recommended interim controls include network-policy isolation to restrict which internal users and services can reach the Kiteworks Secure Data Forms endpoints, egress filtering to limit exfiltration paths if a session is compromised, and Content Security Policy (CSP) header hardening at the reverse-proxy or WAF layer to reduce the exploitability of reflected script injection. HarborGuard re-evaluates the advisory on every ingest cycle; the moment Kiteworks publishes version 9.3.0 or a later fix, a patched-image rebuild will become available and, for customers with auto-remediation enabled, a regression-test run and a PR against affected workloads will be opened automatically.

See how HarborGuard automates this

Affected packages

kiteworks / Secure Data Forms
< 9.3.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

References

https://github.com/kiteworks/security-advisories/security/advisories/GHSA-xp8m-wmmp-f947

Metrics

Get notified