Cyber Resilience

CVE-2026-26861

HighPublic PoC

Published: 27 February 2026

Published
27 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
EPSS Score 0.0018 7.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26861 is a high-severity Origin Validation Error (CWE-346) vulnerability in Clevertap Clevertap Web Sdk. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26861 is a Cross-Site Scripting (XSS) vulnerability affecting CleverTap Web SDK versions 1.15.2 and earlier. The issue resides in the handleCustomHtmlPreviewPostMessageEvent function within src/util/campaignRender/nativeDisplay.js, where origin validation for window.postMessage events relies on the includes() method. This check can be bypassed by an attacker using a subdomain that partially matches the expected origin string, allowing malicious payloads to be processed.

The vulnerability has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L), indicating it is exploitable over the network with low complexity and no privileges required, though user interaction is needed. A remote attacker can craft a malicious webpage on a controllable subdomain (e.g., attacker.example.com targeting example.com), then trick a user into visiting it while the vulnerable SDK is loaded on the target site. Upon user interaction, such as loading the page, the attacker sends a postMessage with a crafted origin, evading validation and injecting arbitrary JavaScript. This grants high-impact confidentiality and integrity violations, such as stealing session cookies or modifying page content, with low availability impact.

GitHub references detail the flaw and remediation: the vulnerable code is shown at lines 118-121 in nativeDisplay.js, issue #424 reports the problem, and pull request #417 provides the fix by improving origin validation. Security practitioners should advise updating the CleverTap Web SDK to a version incorporating this patch to mitigate the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
T1606.001 Web Cookies Credential Access
Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.
T1659 Content Injection Initial Access
Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic.
Why these techniques?

XSS via bypassed postMessage origin check enables direct arbitrary JS execution in target site context, facilitating browser session hijacking (T1185), stealing web session cookies (T1539), using stolen cookies as alternate auth material (T1550.004), forging web credentials via cookies (T1606.001), and injecting/modifying page content (T1659).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26862Same product: Clevertap Clevertap Web Sdk
CVE-2026-8950Shared CWE-346
CVE-2022-50975Shared CWE-346
CVE-2026-34927Shared CWE-346
CVE-2022-50925Shared CWE-346
CVE-2025-71217Shared CWE-346
CVE-2026-34929Shared CWE-346
CVE-2026-6508Shared CWE-346
CVE-2026-34930Shared CWE-346
CVE-2025-1102Shared CWE-346

Affected Assets

clevertap
clevertap web sdk
≤ 1.15.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation through updating the vulnerable CleverTap Web SDK to a version with fixed origin validation.

prevent

Addresses the root cause by enforcing proper validation of postMessage event origins to block subdomain bypasses.

prevent

Mitigates XSS impact by filtering custom HTML/JS payloads received via postMessage before rendering in the preview function.

References