CVE-2026-26861

HIGH EPSS 7.9%
Published Feb 27, 20264mo ago · Modified Mar 3, 20264mo ago
8.3 CVSS 3.1
High
Find Similar
Published Feb 27, 2026 4mo ago
Last Modified Mar 3, 2026 4mo ago

Description

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain

CVSS Details

Base Score
8.3
Exploitability
2.8
Impact
5.5
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability Low

Threat Intelligence

EPSS Exploit Probability
7.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-346

Affected Products 1

VendorProductVersionRange
clevertapclevertap_web_sdk* ≤1.15.2

References 3

  • github.com https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/util/campaignRender/nativeDisplay.js#L118-L121
    Product
  • github.com https://github.com/CleverTap/clevertap-web-sdk/issues/424
    ExploitIssue TrackingVendor Advisory
  • github.com https://github.com/CleverTap/clevertap-web-sdk/pull/417
    Patch

Remediation

  • github.com https://github.com/CleverTap/clevertap-web-sdk/pull/417
    Patch