CVE-2026-26862 - Vulnerability Analysis

Overview

CleverTap Web SDK <= 1.15.2 contains a stored XSS caused by improper origin validation using includes() in Visual Builder module's window.postMessage, letting attackers execute scripts via crafted subdomains, exploit requires crafted subdomain.

Severity & Score

Impact

Attackers can execute arbitrary scripts in users' browsers, leading to session hijacking or data theft.

Mitigation

Update to a version later than 1.15.2 or the latest available version.

References

• https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/modules/visualBuilder/pageBuilder.js#L56-L60
• https://github.com/CleverTap/clevertap-web-sdk/issues/442
• https://github.com/CleverTap/clevertap-web-sdk/pull/417

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 28, 2026

🟠 CVE-2026-26862 - High (8.3) CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26862/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner