CVE-2026-26862

HIGH EPSS 28.4%
Published Feb 27, 20264mo ago · Modified Mar 3, 20264mo ago
8.3 CVSS 3.1
High
Find Similar
Published Feb 27, 2026 4mo ago
Last Modified Mar 3, 2026 4mo ago

Description

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain

CVSS Details

Base Score
8.3
Exploitability
2.8
Impact
5.5
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability Low

Threat Intelligence

EPSS Exploit Probability
28.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-79 Cross-site Scripting Injection
CWE-829

Affected Products 1

VendorProductVersionRange
clevertapclevertap_web_sdk* ≤1.15.2

References 3

  • github.com https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/modules/visualBuilder/pageBuilder.js#L56-L60
    Product
  • github.com https://github.com/CleverTap/clevertap-web-sdk/issues/442
    ExploitIssue TrackingVendor Advisory
  • github.com https://github.com/CleverTap/clevertap-web-sdk/pull/417
    Patch

Remediation

  • github.com https://github.com/CleverTap/clevertap-web-sdk/pull/417
    Patch