CVE-2026-24750

High

Published: 25 March 2026

Published

25 March 2026

Modified

27 March 2026

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

EPSS Score 0.0004 11.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24750 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Accellion Kiteworks. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Portal Capture (T1056.003); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Web Portal Capture (T1056.003) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of form modification inputs to prevent injection of malicious scripts in Kiteworks Secure Data Forms.

SI-15 Information Output Filtering good match

prevent

Mandates filtering of information outputs during web page generation to neutralize stored XSS payloads when forms are viewed.

SI-2 Flaw Remediation good match

prevent

Ensures timely flaw remediation by applying patches such as upgrading to Kiteworks version 9.2.1 to fix the XSS vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1056.003 Web Portal Capture Collection

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

Stored XSS directly enables arbitrary script execution in victim browsers via tampered forms, facilitating web portal input capture, browser session hijacking, and theft of web session cookies.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, an authenticated attacker could exploit an Improper Neutralization of Input During Web Page Generation as Stored XSS when modifying forms. Upgrade Kiteworks to version…

9.2.1 or later to receive a patch.

Deeper analysisAI

CVE-2026-24750 is a stored cross-site scripting (XSS) vulnerability stemming from improper neutralization of input during web page generation (CWE-79) in Kiteworks Secure Data Forms prior to version 9.2.1. Kiteworks is a private data network (PDN), and the flaw affects the forms modification functionality, allowing persistent injection of malicious scripts into web pages. Published on 2026-03-25, it carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L).

An authenticated attacker with low privileges (PR:L) can exploit the vulnerability over the network (AV:N) with low complexity (AC:L) by injecting malicious payloads while modifying forms. Exploitation requires user interaction (UI:R), such as a victim viewing or interacting with the tampered form, after which the stored script executes in the victim's browser context. This enables high confidentiality and integrity impacts (C:H/I:H), such as stealing sensitive data or hijacking sessions, alongside low availability impact (A:L).

The Kiteworks security advisory, detailed at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-rfwm-2hq6-h84g, states that upgrading to Kiteworks version 9.2.1 or later applies the necessary patch to mitigate the issue.