Cyber Resilience

CVE-2026-26862

HighPublic PoC

Published: 27 February 2026

Published
27 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
EPSS Score 0.0037 28.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26862 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Clevertap Clevertap Web Sdk. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CleverTap Web SDK versions 1.15.2 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability in the Visual Builder module. The issue stems from improper origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60), where the code uses the includes() method to check if originUrl contains "dashboard.clevertap.com". This check can be bypassed by an attacker using a crafted subdomain that includes the target string.

Attackers can exploit this vulnerability remotely with low complexity and no privileges required, though user interaction is necessary, as indicated by the CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L). By hosting a malicious page on a subdomain like one incorporating "dashboard.clevertap.com" and sending a window.postMessage, an attacker can trick a user into visiting the page while the SDK is loaded, bypassing the origin check and executing arbitrary JavaScript in the victim's browser context. This enables high-impact confidentiality and integrity violations, such as stealing session tokens or sensitive data, with low availability impact.

Mitigation is addressed in the CleverTap web-sdk GitHub repository via pull request #417, which fixes the origin validation flaw. The vulnerability is documented in issue #442, and the vulnerable code snippet is available at the referenced lines in pageBuilder.js. Security practitioners should update to a patched version beyond 1.15.2.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can…

more

be bypassed by an attacker using a crafted subdomain

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

DOM XSS in Web SDK enables drive-by compromise via malicious page + postMessage (T1189), direct arbitrary JavaScript execution in browser (T1059.007), and session token/cookie theft (T1539).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26861Same product: Clevertap Clevertap Web Sdk
CVE-2026-34568Shared CWE-79
CVE-2026-27087Shared CWE-79
CVE-2026-32540Shared CWE-79
CVE-2026-25361Shared CWE-79
CVE-2025-23847Shared CWE-79
CVE-2026-42524Shared CWE-79
CVE-2026-27627Shared CWE-79
CVE-2026-32721Shared CWE-79
CVE-2025-25099Shared CWE-79

Affected Assets

clevertap
clevertap web sdk
≤ 1.15.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the root cause by requiring validation of inputs like originUrl to prevent bypasses via crafted subdomains in postMessage handlers.

prevent

Requires organizations to remediate known flaws such as the improper includes() origin check in CleverTap Web SDK v1.15.2 and earlier by applying patches like PR #417.

detect

Enables vulnerability scanning to identify deployed instances of this DOM-based XSS flaw in the Visual Builder module for prioritized remediation.

References