Cyber Resilience

CVE-2026-24750

High

Published: 25 March 2026

Published
25 March 2026
Modified
27 March 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
EPSS Score 0.0004 13.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24750 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Accellion Kiteworks. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Portal Capture (T1056.003); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-24750 is a stored cross-site scripting (XSS) vulnerability stemming from improper neutralization of input during web page generation (CWE-79) in Kiteworks Secure Data Forms prior to version 9.2.1. Kiteworks is a private data network (PDN), and the flaw affects the forms modification functionality, allowing persistent injection of malicious scripts into web pages. Published on 2026-03-25, it carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L).

An authenticated attacker with low privileges (PR:L) can exploit the vulnerability over the network (AV:N) with low complexity (AC:L) by injecting malicious payloads while modifying forms. Exploitation requires user interaction (UI:R), such as a victim viewing or interacting with the tampered form, after which the stored script executes in the victim's browser context. This enables high confidentiality and integrity impacts (C:H/I:H), such as stealing sensitive data or hijacking sessions, alongside low availability impact (A:L).

The Kiteworks security advisory, detailed at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-rfwm-2hq6-h84g, states that upgrading to Kiteworks version 9.2.1 or later applies the necessary patch to mitigate the issue.

EU & UK References

Vulnerability details

Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, an authenticated attacker could exploit an Improper Neutralization of Input During Web Page Generation as Stored XSS when modifying forms. Upgrade Kiteworks to version…

more

9.2.1 or later to receive a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1056.003 Web Portal Capture Collection
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS directly enables arbitrary script execution in victim browsers via tampered forms, facilitating web portal input capture, browser session hijacking, and theft of web session cookies.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28272Same product: Accellion Kiteworks
CVE-2026-24751Same product: Accellion Kiteworks
CVE-2026-24752Same product: Accellion Kiteworks
CVE-2026-29092Same product: Accellion Kiteworks
CVE-2026-23514Same product: Accellion Kiteworks
CVE-2026-28270Same product: Accellion Kiteworks
CVE-2026-23636Same product: Accellion Kiteworks
CVE-2026-24782Same product: Accellion Kiteworks
CVE-2026-28269Same product: Accellion Kiteworks
CVE-2026-42733Shared CWE-79

Affected Assets

accellion
kiteworks
≤ 9.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of form modification inputs to prevent injection of malicious scripts in Kiteworks Secure Data Forms.

prevent

Mandates filtering of information outputs during web page generation to neutralize stored XSS payloads when forms are viewed.

prevent

Ensures timely flaw remediation by applying patches such as upgrading to Kiteworks version 9.2.1 to fix the XSS vulnerability.

References