CVE-2026-26862
Published: 27 February 2026
Summary
CVE-2026-26862 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Clevertap Clevertap Web Sdk. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the root cause by requiring validation of inputs like originUrl to prevent bypasses via crafted subdomains in postMessage handlers.
Requires organizations to remediate known flaws such as the improper includes() origin check in CleverTap Web SDK v1.15.2 and earlier by applying patches like PR #417.
Enables vulnerability scanning to identify deployed instances of this DOM-based XSS flaw in the Visual Builder module for prioritized remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
DOM XSS in Web SDK enables drive-by compromise via malicious page + postMessage (T1189), direct arbitrary JavaScript execution in browser (T1059.007), and session token/cookie theft (T1539).
NVD Description
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can…
more
be bypassed by an attacker using a crafted subdomain
Deeper analysisAI
CleverTap Web SDK versions 1.15.2 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability in the Visual Builder module. The issue stems from improper origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60), where the code uses the includes() method to check if originUrl contains "dashboard.clevertap.com". This check can be bypassed by an attacker using a crafted subdomain that includes the target string.
Attackers can exploit this vulnerability remotely with low complexity and no privileges required, though user interaction is necessary, as indicated by the CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L). By hosting a malicious page on a subdomain like one incorporating "dashboard.clevertap.com" and sending a window.postMessage, an attacker can trick a user into visiting the page while the SDK is loaded, bypassing the origin check and executing arbitrary JavaScript in the victim's browser context. This enables high-impact confidentiality and integrity violations, such as stealing session tokens or sensitive data, with low availability impact.
Mitigation is addressed in the CleverTap web-sdk GitHub repository via pull request #417, which fixes the origin validation flaw. The vulnerability is documented in issue #442, and the vulnerable code snippet is available at the referenced lines in pageBuilder.js. Security practitioners should update to a patched version beyond 1.15.2.
Details
- CWE(s)