{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26861", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-02-27T19:42:58.097Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-02-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-27T17:10:45.967Z"}, "descriptions": [{"lang": "en", "value": "CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/CleverTap/clevertap-web-sdk/issues/424"}, {"url": "https://github.com/CleverTap/clevertap-web-sdk/pull/417"}, {"url": "https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/util/campaignRender/nativeDisplay.js#L118-L121"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-346", "lang": "en", "description": "CWE-346 Origin Validation Error"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T19:42:32.310570Z", "id": "CVE-2026-26861", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T19:42:58.097Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26861", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T19:42:32.310570Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346 Origin Validation Error"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T19:41:16.290Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/CleverTap/clevertap-web-sdk/issues/424"}, {"url": "https://github.com/CleverTap/clevertap-web-sdk/pull/417"}, {"url": "https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/util/campaignRender/nativeDisplay.js#L118-L121"}], "descriptions": [{"lang": "en", "value": "CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-27T17:10:45.967Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26861", "state": "PUBLISHED", "dateUpdated": "2026-02-27T19:42:58.097Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-27T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:clevertap:clevertap_web_sdk:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4F60CE8-3848-4625-82B3-64963E248307", "versionEndIncluding": "1.15.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain"}], "id": "CVE-2026-26861", "lastModified": "2026-03-03T18:46:02.547", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-27T18:16:12.043", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/util/campaignRender/nativeDisplay.js#L118-L121"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/CleverTap/clevertap-web-sdk/issues/424"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/CleverTap/clevertap-web-sdk/pull/417"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.15.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "web_sdk", "vendor": "clevertap"}], "analysis": {"en": {"generated_at": "2026-04-16T15:47:46.963884+00:00", "value": {"mitigation_remediation": ["Upgrade the CleverTap Web SDK to the latest available version that contains the origin\u2011validation fix.", "Replace the existing origin check in handleCustomHtmlPreviewPostMessageEvent with strict equality against the expected origin, rejecting any subdomains or unexpected origins.", "Sanitize or escape any HTML content provided to the SDK before rendering, and consider disabling or removing the postMessage handler if it is not required."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting (RCE)"}, "threat_synthesis": {"affected_systems": "CleverTap Web SDK is the product affected. The library version range 1.15.2 and earlier is vulnerable. All deployments that rely on the advertised SDK without upgrading beyond these versions are exposed.", "description_and_impact": "The CleverTap Web SDK (version 1.15.2 and earlier) contains a Cross\u2011Site Scripting weakness. The SDK\u2019s event handler handleCustomHtmlPreviewPostMessageEvent performs origin validation by using the includes() method, which is insufficient. An attacker can craft a message from a subdomain of the trusted origin and evade the check, causing arbitrary JavaScript to execute in the visitor\u2019s browser. This flaw can lead to disclosure of sensitive information, session hijacking, or manipulation of the page, effectively granting the attacker remote code execution in the victim\u2019s context.", "risk_and_exploitability": "The CVSS score of 8.3 indicates high severity. The EPSS score is below 1\u202f%, implying that exploitation is unlikely but possible. The flaw is not listed in CISA\u2019s KEV catalog. Attackers can exploit the vulnerability remotely by sending a crafted postMessage from a subdomain, bypassing the includes\u2011based origin check. Successful exploitation would provide the attacker with the same privileges as the page\u2019s JavaScript context, potentially allowing full control of the user session."}}}}, "created": "2026-03-02T12:07:28.553225+00:00", "title": "Cross\u2011Site Scripting via Improper Origin Validation in CleverTap Web SDK", "updated": "2026-04-16T16:00:13.861321+00:00", "vendors": ["clevertap", "clevertap$PRODUCT$web_sdk"]}