Cyber Posture

CVE-2026-26861

HighPublic PoC

Published: 27 February 2026

Published
27 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
EPSS Score 0.0001 1.0th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26861 is a high-severity Origin Validation Error (CWE-346) vulnerability in Clevertap Clevertap Web Sdk. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 1.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Session Hijacking (T1185) and 4 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by requiring timely remediation through updating the vulnerable CleverTap Web SDK to a version with fixed origin validation.

SI-10 Information Input Validation good match
prevent

Addresses the root cause by enforcing proper validation of postMessage event origins to block subdomain bypasses.

SI-15 Information Output Filtering partial match
prevent

Mitigates XSS impact by filtering custom HTML/JS payloads received via postMessage before rendering in the preview function.

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
attack.mitre.org →
T1606.001 Web Cookies Credential Access
Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.
attack.mitre.org →
T1659 Content Injection Initial Access
Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic.
attack.mitre.org →
Why these techniques?

XSS via bypassed postMessage origin check enables direct arbitrary JS execution in target site context, facilitating browser session hijacking (T1185), stealing web session cookies (T1539), using stolen cookies as alternate auth material (T1550.004), forging web credentials via cookies (T1606.001), and injecting/modifying page content (T1659).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain

Deeper analysisAI

CVE-2026-26861 is a Cross-Site Scripting (XSS) vulnerability affecting CleverTap Web SDK versions 1.15.2 and earlier. The issue resides in the handleCustomHtmlPreviewPostMessageEvent function within src/util/campaignRender/nativeDisplay.js, where origin validation for window.postMessage events relies on the includes() method. This check can be bypassed by an attacker using a subdomain that partially matches the expected origin string, allowing malicious payloads to be processed.

The vulnerability has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L), indicating it is exploitable over the network with low complexity and no privileges required, though user interaction is needed. A remote attacker can craft a malicious webpage on a controllable subdomain (e.g., attacker.example.com targeting example.com), then trick a user into visiting it while the vulnerable SDK is loaded on the target site. Upon user interaction, such as loading the page, the attacker sends a postMessage with a crafted origin, evading validation and injecting arbitrary JavaScript. This grants high-impact confidentiality and integrity violations, such as stealing session cookies or modifying page content, with low availability impact.

GitHub references detail the flaw and remediation: the vulnerable code is shown at lines 118-121 in nativeDisplay.js, issue #424 reports the problem, and pull request #417 provides the fix by improving origin validation. Security practitioners should advise updating the CleverTap Web SDK to a version incorporating this patch to mitigate the issue.

Details

CWE(s)
CWE-346

Affected Products

clevertap
clevertap web sdk
≤ 1.15.2

CVEs Like This One

CVE-2026-26862Same product: Clevertap Clevertap Web Sdk
CVE-2026-41342Shared CWE-346
CVE-2022-50975Shared CWE-346
CVE-2022-50925Shared CWE-346
CVE-2025-7659Shared CWE-346
CVE-2026-34359Shared CWE-346
CVE-2026-41057Shared CWE-346
CVE-2026-23552Shared CWE-346
CVE-2026-22794Shared CWE-346
CVE-2024-57965Shared CWE-346

References