CVE-2026-28272

Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administrators to inject malicious scripts through a configuration interface. The stored script executes when users interact with the affected user interface. Version 9.2.0 contains a patch for the issue.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/kiteworks/security-advisories/security/advisories/GHSA-7hxj-ch78-xqgr	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:accellion:kiteworks:*:*:*:*:*:*:*:*

History

04 Mar 2026, 19:48

Type	Values Removed	Values Added
CPE		cpe:2.3:a:accellion:kiteworks::::::::
First Time		Accellion kiteworks Accellion
References	~~() https://github.com/kiteworks/security-advisories/security/advisories/GHSA-7hxj-ch78-xqgr -~~	() https://github.com/kiteworks/security-advisories/security/advisories/GHSA-7hxj-ch78-xqgr - Vendor Advisory

27 Feb 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-27 21:16

Updated : 2026-03-04 19:48

NVD link : CVE-2026-28272

Mitre link : CVE-2026-28272

CVE.ORG link : CVE-2026-28272

JSON object : View

Products Affected

accellion

kiteworks

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

8.1 /10