VYPR
Vypr IntelligenceAI-generatedJun 1, 2026· 9 CVEs

Kiteworks Secure Data Forms: Nine Vulnerabilities Disclosed in Single Batch

Kiteworks disclosed nine vulnerabilities in its Secure Data Forms product, including SQL injection and XSS flaws, all patched in version 9.3.0.

Key findings

  • Nine vulnerabilities in Kiteworks Secure Data Forms disclosed together on June 1, 2026.
  • Flaws include SQL injection, multiple Insecure Direct Object References (IDOR), and Cross-Site Scripting (XSS).
  • High-severity vulnerabilities (CVSS 7.6-8.2) include SQL injection and reflected XSS.
  • All disclosed vulnerabilities affect versions prior to 9.3.0.
  • Kiteworks has released version 9.3.0 to patch all identified security issues.

Kiteworks has addressed a significant batch of nine vulnerabilities affecting its Secure Data Forms component, with all issues disclosed on June 1, 2026. The vulnerabilities, ranging in severity from low to high, were all patched in version 9.3.0 of the product. The disclosure event highlights several critical security weaknesses within the form building and management functionalities.

The most severe issues include multiple SQL injection vulnerabilities (CVE-2026-24782) that could allow an authenticated attacker with the FormBuilder role to access or modify other users' form definitions and global configuration parameters. Additionally, two high-severity reflected Cross-Site Scripting (XSS) vulnerabilities (CVE-2026-24751 and CVE-2026-24752) could enable external attackers to trick users into executing arbitrary JavaScript code. A stored XSS vulnerability (CVE-2026-24754) also poses a risk, allowing authenticated attackers to execute JavaScript within other users' sessions.

A significant portion of the disclosed vulnerabilities are Insecure Direct Object Reference (IDOR) flaws. These include CVE-2026-24761 (low severity), which allows access to metadata of other users' resources; CVE-2026-24756 and CVE-2026-24753 (medium severity), enabling modification of other users' resources; CVE-2026-24755 (medium severity), permitting modification of permissions on other users' resources; and CVE-2026-23638 (medium severity), which allows tampering with internal approval flow configurations of forms belonging to other users. These IDOR vulnerabilities stem from insufficient authorization checks on resource ownership.

All nine vulnerabilities were discovered in versions prior to 9.3.0. Kiteworks has released version 9.3.0 to address these security concerns, and users are strongly advised to upgrade to this version or later to mitigate the risks. The rapid disclosure of these nine distinct issues within a four-hour window underscores the importance of prompt patching for users of the Kiteworks platform.

This coordinated disclosure event provides a clear picture of the security posture of the Secure Data Forms component. The variety of vulnerabilities, from injection flaws to access control bypasses and XSS, indicates a need for thorough security reviews of web application components. Users should prioritize updating their Kiteworks instances to ensure protection against potential exploitation of these weaknesses.

AI-written article. Grounded in 9 CVE records listed below.