CVE-2026-24782
Description
SQL Injection in Kiteworks Secure Data Forms (versions < 9.3.0) allows authenticated users to access or alter form definitions and global settings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL Injection in Kiteworks Secure Data Forms (versions < 9.3.0) allows authenticated users to access or alter form definitions and global settings.
Vulnerability
Multiple SQL Injection vulnerabilities exist in Kiteworks Secure Data Forms prior to version 9.3.0. These flaws allow for unauthorized access to and modification of other users' form definitions, as well as certain global configuration parameters [1].
Exploitation
An authenticated attacker with the FormBuilder role can exploit these vulnerabilities. The attacker needs to have this specific role assigned to them to trigger the SQL injection flaws and gain access to sensitive form definitions and configuration settings [1].
Impact
Successful exploitation allows an attacker to retrieve information about or modify other users' form definitions. Additionally, the attacker can alter some global configuration parameters. This could lead to unauthorized data access, configuration tampering, and potential disruption of services [1].
Mitigation
Kiteworks has released version 9.3.0, which includes a patch for these vulnerabilities. Users are advised to upgrade to version 9.3.0 or later to remediate the issue [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <9.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.