CVE-2026-26861
HIGH EPSS 7.9%
Published Feb 27, 20264mo ago · Modified Mar 3, 20264mo ago
8.3 CVSS 3.1
Published Feb 27, 2026 4mo ago
Last Modified Mar 3, 2026 4mo ago
Description
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability Low
Threat Intelligence
EPSS Exploit Probability
7.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-346
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| clevertap | clevertap_web_sdk | * | ≤1.15.2 |
References 3
- github.com https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/util/campaignRender/nativeDisplay.js#L118-L121
- github.com https://github.com/CleverTap/clevertap-web-sdk/issues/424
- github.com https://github.com/CleverTap/clevertap-web-sdk/pull/417
Remediation
- github.com https://github.com/CleverTap/clevertap-web-sdk/pull/417