CVE-2026-24751: Accellion Kiteworks XSS Vulnerability

CVE-2026-24751 Overview

CVE-2026-24751 is a reflected Cross-Site Scripting (XSS) vulnerability in Kiteworks Secure Data Forms. Kiteworks is a private data network (PDN) used to exchange sensitive content across organizations. The flaw affects all Kiteworks versions prior to 9.3.0. An external attacker can craft a malicious link that, when opened by an authenticated user, executes arbitrary JavaScript in the victim's browser session. The issue is tracked under [CWE-79] and resolved in Kiteworks 9.3.0.

Critical Impact

Successful exploitation allows attackers to execute arbitrary JavaScript in a victim's browser, enabling session theft, credential harvesting, and unauthorized actions within the Kiteworks PDN.

Affected Products

• Accellion Kiteworks versions prior to 9.3.0
• Kiteworks Secure Data Forms component
• All deployments of Kiteworks PDN running affected releases

Discovery Timeline

• 2026-06-01 - CVE-2026-24751 published to NVD
• 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-24751

Vulnerability Analysis

The vulnerability resides in the Kiteworks Secure Data Forms feature. Attacker-supplied input reflected by the application is not properly encoded before being rendered in the response. As a result, JavaScript embedded in a crafted request executes in the context of the Kiteworks origin when a user visits the malicious URL.

Because the flaw is reflected XSS rather than stored, exploitation requires user interaction. The attacker typically delivers the payload through a phishing email, instant message, or attacker-controlled web page that triggers the request. Once executed, the script operates under the victim's Kiteworks session and can read DOM content, issue authenticated API calls, or exfiltrate tokens.

The scope change indicated by the advisory means that the injected script can affect resources beyond the originally vulnerable component, including any browser context that trusts the Kiteworks domain. Confidentiality impact is high because sensitive form data and session material can be retrieved. Integrity is limited because the attacker primarily acts within the user's authenticated context.

Root Cause

The root cause is improper neutralization of input during web page generation [CWE-79]. The Secure Data Forms handler reflects user-controlled parameters into the HTML response without applying contextual output encoding or a strict Content Security Policy that would block inline script execution.

Attack Vector

The attack vector is network-based and requires no privileges, but it does require the target user to click a crafted link. The attacker constructs a URL targeting the vulnerable form endpoint, embeds a JavaScript payload in a reflected parameter, and lures an authenticated Kiteworks user to open it.

No verified proof-of-concept code is publicly available for this issue. Refer to the Kiteworks GitHub Security Advisory GHSA-xp8m-wmmp-f947 for vendor-supplied technical context.

Detection Methods for CVE-2026-24751

Indicators of Compromise

• Inbound HTTP requests to Kiteworks Secure Data Forms endpoints containing <script>, javascript:, onerror=, or URL-encoded equivalents in query parameters.
• Web server access logs showing reflected parameter values with HTML or JavaScript syntax characters such as <, >, ", or %3C%73%63%72%69%70%74.
• Unexpected outbound browser requests from authenticated Kiteworks sessions to attacker-controlled domains.
• User reports of unsolicited links referencing Kiteworks form URLs received via email or messaging.

Detection Strategies

• Deploy Web Application Firewall (WAF) rules that inspect query strings and POST bodies for XSS payload patterns directed at Kiteworks form endpoints.
• Enable verbose application logging on the Kiteworks appliance and alert on request parameters containing script tags or event handler attributes.
• Correlate referrer headers and user-agent anomalies against successful Kiteworks authentication events to identify phishing-driven access.

Monitoring Recommendations

• Monitor browser-side Content Security Policy violation reports if CSP reporting is configured.
• Track Kiteworks audit logs for session token reuse from unexpected IP addresses following form access.
• Review email security gateway logs for URLs pointing to Kiteworks form paths with embedded script payloads.

How to Mitigate CVE-2026-24751

Immediate Actions Required

• Upgrade all Kiteworks deployments to version 9.3.0 or later without delay.
• Inventory exposed Kiteworks instances and confirm patch status across production and staging environments.
• Invalidate active user sessions after patching to revoke any tokens that may have been captured.
• Notify users to report suspicious Kiteworks links received outside normal workflows.

Patch Information

Kiteworks has released version 9.3.0, which remediates the reflected XSS in Secure Data Forms. Patch details are available in the Kiteworks GitHub Security Advisory GHSA-xp8m-wmmp-f947.

Workarounds

• Restrict access to the Kiteworks Secure Data Forms feature via network controls until the upgrade is applied.
• Deploy WAF signatures that block requests containing XSS payload patterns targeting form endpoints.
• Enforce a strict Content Security Policy at the reverse proxy to block inline script execution on Kiteworks responses.
• Train users to avoid clicking unsolicited Kiteworks form links, especially those received from untrusted sources.

# Example WAF rule pattern (ModSecurity) to block reflected XSS attempts
SecRule REQUEST_URI "@rx /forms/" \
  "chain,deny,status:403,id:1026024751,msg:'Potential CVE-2026-24751 XSS payload'"
  SecRule ARGS "@rx (?i)(<script|javascript:|onerror=|onload=)" "t:none,t:urlDecodeUni"