{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28272", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-26T01:52:58.733Z", "datePublished": "2026-02-27T20:22:59.656Z", "dateUpdated": "2026-03-03T20:27:59.264Z"}, "containers": {"cna": {"title": "Kiteworks Email Protection Gateway has a Cross-site Scripting vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-7hxj-ch78-xqgr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-7hxj-ch78-xqgr"}], "affected": [{"vendor": "kiteworks", "product": "security-advisories", "versions": [{"version": "< 9.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T20:22:59.656Z"}, "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administrators to inject malicious scripts through a configuration interface. The stored script executes when users interact with the affected user interface. Version 9.2.0 contains a patch for the issue."}], "source": {"advisory": "GHSA-7hxj-ch78-xqgr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T20:27:52.607127Z", "id": "CVE-2026-28272", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T20:27:59.264Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28272", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T20:27:52.607127Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T20:27:56.376Z"}}], "cna": {"title": "Kiteworks Email Protection Gateway has a Cross-site Scripting vulnerability", "source": {"advisory": "GHSA-7hxj-ch78-xqgr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kiteworks", "product": "security-advisories", "versions": [{"status": "affected", "version": "< 9.2.0"}]}], "references": [{"url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-7hxj-ch78-xqgr", "name": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-7hxj-ch78-xqgr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administrators to inject malicious scripts through a configuration interface. The stored script executes when users interact with the affected user interface. Version 9.2.0 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T20:22:59.656Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28272", "state": "PUBLISHED", "dateUpdated": "2026-03-03T20:27:59.264Z", "dateReserved": "2026-02-26T01:52:58.733Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-27T20:22:59.656Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:accellion:kiteworks:*:*:*:*:*:*:*:*", "matchCriteriaId": "B494C8D4-2D4B-4F5E-99C1-4CCE8DF6C911", "versionEndExcluding": "9.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administrators to inject malicious scripts through a configuration interface. The stored script executes when users interact with the affected user interface. Version 9.2.0 contains a patch for the issue."}], "id": "CVE-2026-28272", "lastModified": "2026-03-04T19:48:26.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-27T21:16:18.703", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-7hxj-ch78-xqgr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "security-advisories", "source": "cna", "vendor": "kiteworks"}, "product": "security-advisories", "vendor": "kiteworks"}], "analysis": {"en": {"generated_at": "2026-04-18T10:13:58.940265+00:00", "value": {"mitigation_remediation": ["Upgrade to Kiteworks 9.2.0 or newer to apply the vendor\u2011supplied patch", "Deploy a strict Content Security Policy on the administration portal to block inline script execution", "Revoke or rotate any unused administrative credentials and enforce least\u2011privilege access until the patch is in place"], "summary": {"action": "Immediate Patch", "impact": "Stored cross\u2011site scripting enabling malicious script execution by authenticated administrators"}, "threat_synthesis": {"affected_systems": "The issue affects all Kiteworks Email Protection Gateway installations running any version earlier than 9.2.0. Administrators with valid credentials can use the configuration interface to inject scripts, while the risk extends to any user who interacts with the compromised UI. Upgrading to version 9.2.0 or later removes the vulnerability.", "description_and_impact": "Kiteworks Email Protection Gateway contains a stored cross\u2011site scripting flaw that permits authenticated administrators to embed malicious scripts via a configuration interface. When end users interact with the affected UI, the injected script executes within the user\u2019s browser. The vulnerability is categorized as CWE\u201179 and carries a CVSS score of 8.1, reflecting a high\u2011severity risk to confidentiality and integrity.", "risk_and_exploitability": "With a CVSS score of 8.1, the flaw represents significant potential impact, yet its EPSS score of less than 1\u202f% indicates a currently low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been recorded. Based on the description, it is inferred that the attack vector requires an authenticated administrator session accessing the configuration interface, as the vulnerability exploits the application\u2019s failure to sanitize input and a lack of protective content\u2011security policy."}}}}, "created": "2026-03-02T12:04:56.619971+00:00", "updated": "2026-04-18T10:15:25.883346+00:00", "vendors": ["kiteworks", "kiteworks$PRODUCT$security-advisories"]}