CVE-2026-24754
Description
Stored XSS in Kiteworks Secure Data Forms allows authenticated attackers to run JavaScript in other users' sessions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Kiteworks Secure Data Forms allows authenticated attackers to run JavaScript in other users' sessions.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the Thank You Page configuration of Kiteworks Secure Data Forms prior to version 9.3.0. This flaw allows an authenticated attacker to inject arbitrary JavaScript code that can be executed in the sessions of other users [1].
Exploitation
An authenticated attacker can exploit this vulnerability by injecting malicious JavaScript code into the Thank You Page configuration. When another user views the affected page or interacts with the form, the injected script will execute within their session [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript code in the context of another user's session. This can lead to session hijacking, data theft, or further malicious actions within the Kiteworks application, depending on the privileges of the targeted user [1].
Mitigation
Kiteworks has released version 9.3.0, which addresses this vulnerability. Users are advised to upgrade to version 9.3.0 or later to receive the patch [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <9.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.