HIGHCVE-2026-26861Published Modified CNA mitre
CVE-2026-26861: CleverTap Web SDK version 1
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain
Metrics
- CVSS v3.1
- 8.3
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
Affected packages
- n/a / n/an/a
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:LReferences