CVE-2026-26861 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent fun…
High CVSS: 8.3

CVE-2026-26861

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain
Vendor
Clevertap
Product
Clevertap Web Sdk
CWE
CWE-346
Yayın Tarihi
2026-02-27 18:16:12
Güncelleme
2026-03-03 18:46:02
Source Identifier
cve@mitre.org
KEV Date Added
-

Kategoriler

CWE-346 Clevertap Web Sdk HIGH Clevertap 2026

Referanslar

https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/util/campaignRender/nativeDisplay.js#L118-L121 https://github.com/CleverTap/clevertap-web-sdk/issues/424 https://github.com/CleverTap/clevertap-web-sdk/pull/417