CVE-2026-24752 Overview
CVE-2026-24752 is a reflected cross-site scripting (XSS) vulnerability in Kiteworks Secure Data Forms. The flaw affects all Kiteworks versions prior to 9.3.0. An external attacker can craft a malicious link that, when clicked by an authenticated user, executes arbitrary JavaScript in the victim's browser session. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). Kiteworks operates as a private data network (PDN) used by enterprises for secure file sharing, governance, and compliance workflows, making client-side compromise impactful for sensitive data handling.
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in a victim's authenticated browser context, enabling session theft, data exfiltration, and impersonation within the Kiteworks PDN.
Affected Products
- Accellion Kiteworks versions prior to 9.3.0
- Kiteworks Secure Data Forms component
- All deployments using the affected form-rendering pipeline
Discovery Timeline
- 2026-06-01 - CVE-2026-24752 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-24752
Vulnerability Analysis
The vulnerability resides in the Secure Data Forms feature of Kiteworks. The application reflects attacker-controlled input back into rendered HTML responses without proper output encoding or sanitization. When a victim loads a crafted URL, the injected payload executes within the origin of the Kiteworks application.
The attack requires user interaction, but no authentication on the attacker side. The scope is changed because the executed script operates within the trusted Kiteworks origin and can access resources beyond the vulnerable component. Confidentiality impact is high because session tokens, form data, and PDN file metadata are accessible to injected JavaScript.
Root Cause
The root cause is improper neutralization of user-supplied input during HTML page generation in the Secure Data Forms handler. Input passed through request parameters is incorporated into server responses without contextual escaping, allowing HTML and JavaScript markup to render as executable content.
Attack Vector
An attacker constructs a URL pointing to a vulnerable Secure Data Forms endpoint with a JavaScript payload embedded in a reflected parameter. The attacker delivers the link via phishing email, instant message, or a malicious page. When an authenticated Kiteworks user follows the link, the script executes under the Kiteworks origin and can issue API calls, exfiltrate session cookies, or manipulate form submissions on behalf of the user.
Refer to the Kiteworks GitHub Security Advisory GHSA-6798-vf3h-wcwr for vendor-published technical details.
Detection Methods for CVE-2026-24752
Indicators of Compromise
- Web server access logs containing Secure Data Forms request parameters with <script>, javascript:, onerror=, or URL-encoded equivalents such as %3Cscript%3E
- Outbound HTTP requests from user browsers to attacker-controlled domains immediately after visiting Kiteworks form URLs
- Unexpected Kiteworks API calls originating from legitimate user sessions shortly after link clicks
Detection Strategies
- Inspect HTTP request and response pairs for reflected input that contains HTML or JavaScript metacharacters in Secure Data Forms endpoints
- Deploy web application firewall (WAF) rules that flag reflected XSS patterns against the /forms/ and related Kiteworks request paths
- Correlate phishing-themed inbound emails containing Kiteworks form URLs with subsequent anomalous session activity
Monitoring Recommendations
- Enable verbose HTTP request logging on Kiteworks appliances and forward logs to a centralized SIEM for query against XSS payload signatures
- Monitor browser-reported Content Security Policy (CSP) violations from Kiteworks origins
- Alert on Kiteworks user sessions that exhibit rapid changes in source IP, user agent, or API call volume following a form access
How to Mitigate CVE-2026-24752
Immediate Actions Required
- Upgrade all Kiteworks instances to version 9.3.0 or later as documented in the vendor advisory
- Identify and inventory any internet-exposed Kiteworks Secure Data Forms endpoints prior to patching
- Notify users of phishing risk involving Kiteworks form links until patching completes
Patch Information
Kiteworks has released version 9.3.0 which contains the fix for this vulnerability. Administrators should apply the upgrade following the vendor's standard update procedure. The official remediation is published in the Kiteworks Security Advisory GHSA-6798-vf3h-wcwr.
Workarounds
- Restrict access to Secure Data Forms endpoints via network controls until the upgrade is complete
- Deploy WAF rules that block requests containing HTML or JavaScript metacharacters in form parameters
- Enforce a strict Content Security Policy on the Kiteworks origin to limit inline script execution
- Train users to avoid clicking Kiteworks form links received from untrusted sources
# Example WAF rule (ModSecurity) blocking reflected XSS patterns on Kiteworks form endpoints
SecRule REQUEST_URI "@beginsWith /forms/" \
"phase:2,deny,status:403,id:1026024752,\
chain,msg:'Potential CVE-2026-24752 XSS attempt'"
SecRule ARGS "@rx (?i)(<script|javascript:|onerror=|onload=|%3Cscript)" \
"t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
