CVE-2026-26862
HIGH EPSS 28.4%
Published Feb 27, 20264mo ago · Modified Mar 3, 20264mo ago
8.3 CVSS 3.1
Published Feb 27, 2026 4mo ago
Last Modified Mar 3, 2026 4mo ago
Description
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability Low
Threat Intelligence
EPSS Exploit Probability
28.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 2
CWE-79 Cross-site Scripting Injection
CWE-829
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| clevertap | clevertap_web_sdk | * | ≤1.15.2 |
References 3
- github.com https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/modules/visualBuilder/pageBuilder.js#L56-L60
- github.com https://github.com/CleverTap/clevertap-web-sdk/issues/442
- github.com https://github.com/CleverTap/clevertap-web-sdk/pull/417
Remediation
- github.com https://github.com/CleverTap/clevertap-web-sdk/pull/417