CVE-2026-26862 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The orig…
High CVSS: 8.3

CVE-2026-26862

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain
Vendor
Clevertap
Product
Clevertap Web Sdk
CWE
CWE-79
Yayın Tarihi
2026-02-27 18:16:12
Güncelleme
2026-03-03 18:44:20
Source Identifier
cve@mitre.org
KEV Date Added
-

Kategoriler

CWE-79 Clevertap Web Sdk HIGH Clevertap 2026

Referanslar

https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/modules/visualBuilder/pageBuilder.js#L56-L60 https://github.com/CleverTap/clevertap-web-sdk/issues/442 https://github.com/CleverTap/clevertap-web-sdk/pull/417