{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26862", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-02-27T19:39:16.900Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-02-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-27T18:08:55.129Z"}, "descriptions": [{"lang": "en", "value": "CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains \"dashboard.clevertap.com\", which can be bypassed by an attacker using a crafted subdomain"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/CleverTap/clevertap-web-sdk/issues/442"}, {"url": "https://github.com/CleverTap/clevertap-web-sdk/pull/417"}, {"url": "https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/modules/visualBuilder/pageBuilder.js#L56-L60"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-829", "lang": "en", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T19:38:39.779264Z", "id": "CVE-2026-26862", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T19:39:16.900Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26862", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T19:38:39.779264Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T19:37:17.397Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/CleverTap/clevertap-web-sdk/issues/442"}, {"url": "https://github.com/CleverTap/clevertap-web-sdk/pull/417"}, {"url": "https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/modules/visualBuilder/pageBuilder.js#L56-L60"}], "descriptions": [{"lang": "en", "value": "CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains \"dashboard.clevertap.com\", which can be bypassed by an attacker using a crafted subdomain"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-27T18:08:55.129Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26862", "state": "PUBLISHED", "dateUpdated": "2026-02-27T19:39:16.900Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-27T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:clevertap:clevertap_web_sdk:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4F60CE8-3848-4625-82B3-64963E248307", "versionEndIncluding": "1.15.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains \"dashboard.clevertap.com\", which can be bypassed by an attacker using a crafted subdomain"}], "id": "CVE-2026-26862", "lastModified": "2026-03-03T18:44:20.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-27T18:16:12.163", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/modules/visualBuilder/pageBuilder.js#L56-L60"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/CleverTap/clevertap-web-sdk/issues/442"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/CleverTap/clevertap-web-sdk/pull/417"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-829"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.15.2]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "web_sdk", "vendor": "clevertap"}], "analysis": {"en": {"generated_at": "2026-04-16T15:48:07.307952+00:00", "value": {"mitigation_remediation": ["Upgrade the CleverTap Web SDK to the latest version that contains the fixed pageBuilder.js, which validates the origin correctly.", "If an upgrade is not immediately possible, modify the origin check to compare the full origin string exactly against \"https://dashboard.clevertap.com\", removing the substring includes() approach.", "Disabling the Visual Builder module or removing the postMessage handler until a patched SDK is deployed will prevent the XSS vector from being exercised."], "summary": {"action": "Immediate Patch", "impact": "DOM-based XSS"}, "threat_synthesis": {"affected_systems": "CleverTap Web SDK versions 1.15.2 and earlier are affected. The vulnerability resides in the src/modules/visualBuilder/pageBuilder.js component of the SDK. Any web application that incorporates the SDK and uses the Visual Builder module shares this risk.", "description_and_impact": "The vulnerability in CleverTap Web SDK allows an attacker to inject malicious scripts into the DOM through the window.postMessage API. The Visual Builder module performs origin validation by checking if the origin URL contains the string \"dashboard.clevertap.com\" using the includes() method. An attacker can craft a subdomain that contains this string, bypassing the validation and delivering arbitrary JavaScript code to pages that load the SDK. This leads to the execution of attacker\u2011controlled code in the victim\u2019s browser, compromising all data and functionality accessed by that user.", "risk_and_exploitability": "The CVSS score of 8.3 indicates a high severity impact. The EPSS score is reported as less than 1%, suggesting that, at present, the likelihood of exploitation is low, yet an attacker with the ability to register or control a subdomain can still bypass the origin check. The vulnerability is not listed in the CISA KEV catalog, meaning no known active exploits are documented. The attack vector is remote, requiring the attacker to host a malicious page that sends a postMessage to the SDK with a crafted origin that passes the lenient includes() check."}}}}, "created": "2026-03-02T12:07:29.693249+00:00", "title": "DOM\u2011based Cross\u2011Site Scripting via Window.postMessage in CleverTap Web SDK Visual Builder", "updated": "2026-04-16T16:00:13.861848+00:00", "vendors": ["clevertap", "clevertap$PRODUCT$web_sdk"]}