How is CVE-2026-24752 exploited?

Network reachability (required): The attacker must reach the victim's browser session by delivering a crafted URL over the network, making the service's public or internal network exposure the entry point. Authentication (not-required): No account or credentials are needed; the attacker operates entirely as an unauthenticated external party. Victim interaction (required): The attack succeeds only if a logged-in user clicks or follows a malicious link crafted by the attacker, making social engineering a necessary step. Attack complexity (info): Exploit conditions are straightforward and reliable, with no race conditions or special environmental factors required beyond delivering the malicious link to the victim.

What is the impact of CVE-2026-24752?

Reads session tokens or authentication cookies from the victim's active browser session, enabling account takeover without further credential phishing. Reads sensitive data displayed within Kiteworks Secure Data Forms pages that the victim has access to, including any private data visible in the current session context. Performs actions inside the Kiteworks application on behalf of the victim, such as submitting or modifying form data, by injecting JavaScript that issues requests using the victim's authenticated session.

Back to search

HIGHCVE-2026-24752Published 2026-06-01Modified 2026-06-02CNA GitHub_M

CVE-2026-24752: Kiteworks Secure Data Forms Vulnerable to Cross-site Scripting

Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A reflected cross-site scripting (XSS) vulnerability exists in Kiteworks Secure Data Forms, affecting all versions prior to 9.3.0. The vulnerability is reachable over the network with no authentication required, but a victim must be tricked into clicking a crafted link for the attack to succeed. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser session, enabling session hijacking, credential theft, or unauthorized actions taken on the victim's behalf. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix version is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-24752 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that package Kiteworks Secure Data Forms components. Any image running an affected version below 9.3.0 is flagged automatically across both registry scans and CI pipeline checks.

Available

Triage

Triage is available with CVSS v3.1 scoring applied at a severity of HIGH (8.2), weighted against each customer environment's compliance policy to prioritize affected workloads accordingly. Findings are routed to the appropriate team inbox within each customer organization based on configured policy rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, HarborGuard surfaces the unresolved finding continuously so teams can apply compensating controls while waiting for the vendor patch.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim's browser session by delivering a crafted URL over the network, making the service's public or internal network exposure the entry point.
AuthenticationNot required
No account or credentials are needed; the attacker operates entirely as an unauthenticated external party.
Victim interactionRequired
The attack succeeds only if a logged-in user clicks or follows a malicious link crafted by the attacker, making social engineering a necessary step.
Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or special environmental factors required beyond delivering the malicious link to the victim.

Blast Radius

Reads session tokens or authentication cookies from the victim's active browser session, enabling account takeover without further credential phishing.
Reads sensitive data displayed within Kiteworks Secure Data Forms pages that the victim has access to, including any private data visible in the current session context.
Performs actions inside the Kiteworks application on behalf of the victim, such as submitting or modifying form data, by injecting JavaScript that issues requests using the victim's authenticated session.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the CVE-2026-24752 advisory across every ingest cycle, with automatic flagging of any image containing Kiteworks Secure Data Forms below version 9.3.0. Because no upstream fix exists yet, HarborGuard will make a patched-image rebuild available the moment version 9.3.0 or a later fix release is published; customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without manual intervention. While waiting for the upstream patch, consider compensating controls such as network-policy isolation to restrict which users can reach Secure Data Forms endpoints, egress filtering to limit JavaScript execution context, and internal user guidance to treat unexpected Kiteworks links with caution.

See how HarborGuard automates this

Affected packages

kiteworks / Secure Data Forms
< 9.3.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

References

https://github.com/kiteworks/security-advisories/security/advisories/GHSA-6798-vf3h-wcwr

Metrics

Get notified