CVE-2026-26861
- Source
- https://cve.org/CVERecord?id=CVE-2026-26861
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26861.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-26861
- Aliases
- Published
- 2026-02-27T18:16:12.043Z
- Modified
- 2026-03-13T04:11:41.977823Z
- Severity
-
- 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L CVSS Calculator
- Summary
- [none]
- Details
-
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain
- References
Affected packages
Git / github.com/clevertap/clevertap-web-sdk
Affected versions
1.*
1.0.0-beta.1
1.11.5
1.11.8
v1.*
v1.0.0
v1.0.0-beta.0
v1.0.0-beta.1
v1.0.0-beta.2
v1.0.0-beta.3
v1.0.0-beta.4
v1.0.0-beta.5
v1.0.0-beta.6
v1.0.0-beta.7
v1.1.0
v1.1.1
v1.1.1-release
v1.1.2
v1.1.3
v1.10.0
v1.10.1
v1.11.0
v1.11.1
v1.11.10
v1.11.11
v1.11.12
v1.11.13
v1.11.14
v1.11.15
v1.11.16
v1.11.2
v1.11.3
v1.11.4
v1.11.6
v1.11.7
v1.11.9
v1.12.0
v1.12.1
v1.13.0
v1.13.1
v1.13.2
v1.13.3
v1.13.4
v1.13.5
v1.13.6
v1.13.7
v1.14.0
v1.14.1
v1.14.2
v1.14.3
v1.14.4
v1.15.0
v1.15.1
v1.15.2
v1.2.0
v1.2.1
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.4.0
v1.4.1
v1.4.2
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.1
v1.6.10
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v1.6.9-sw
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v1.9.4
v1.9.5
v1.9.6