CVE-2026-26862

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-26862

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26862.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-26862

Aliases

GHSA-jfrq-hj9f-c8qx

Published

2026-02-27T18:16:12.163Z

Modified

2026-03-13T04:11:42.009946Z

Severity

8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L CVSS Calculator

Summary

[none]

Details

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain

References

Affected packages

Git / github.com/clevertap/clevertap-web-sdk

Affected ranges

Type

GIT

Repo

https://github.com/clevertap/clevertap-web-sdk

Events

Introduced

Last affected

4d2e60f4f975c39675642dfaa289332c6c04dc56

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.15.2"
        }
    ]
}

Affected versions

1.*

1.0.0-beta.1

1.11.5

1.11.8

v1.*

v1.0.0

v1.0.0-beta.0

v1.0.0-beta.1

v1.0.0-beta.2

v1.0.0-beta.3

v1.0.0-beta.4

v1.0.0-beta.5

v1.0.0-beta.6

v1.0.0-beta.7

v1.1.0

v1.1.1

v1.1.1-release

v1.1.2

v1.1.3

v1.10.0

v1.10.1

v1.11.0

v1.11.1

v1.11.10

v1.11.11

v1.11.12

v1.11.13

v1.11.14

v1.11.15

v1.11.16

v1.11.2

v1.11.3

v1.11.4

v1.11.6

v1.11.7

v1.11.9

v1.12.0

v1.12.1

v1.13.0

v1.13.1

v1.13.2

v1.13.3

v1.13.4

v1.13.5

v1.13.6

v1.13.7

v1.14.0

v1.14.1

v1.14.2

v1.14.3

v1.14.4

v1.15.0

v1.15.1

v1.15.2

v1.2.0

v1.2.1

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.4.0

v1.4.1

v1.4.2

v1.5.0

v1.5.1

v1.5.2

v1.6.0

v1.6.1

v1.6.10

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.6.8

v1.6.9

v1.6.9-sw

v1.7.0

v1.7.1

v1.7.2

v1.7.3

v1.7.4

v1.7.5

v1.7.6

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.9.0

v1.9.1

v1.9.2

v1.9.3

v1.9.4

v1.9.5

v1.9.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26862.json"