CVE-2026-26862
Received Received - Intake
DOM-Based XSS in CleverTap Web SDK Visual Builder Module

Publication date: 2026-02-27

Last updated on: 2026-03-03

Assigner: MITRE

Description
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-26862
EUVD
EUVD-2026-9039
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
clevertap clevertap_web_sdk to 1.15.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CleverTap Web SDK version 1.15.2 and earlier has a DOM-based Cross-Site Scripting (XSS) vulnerability in its Visual Builder module.

The vulnerability arises because the origin validation in the file src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to check if the originUrl contains "dashboard.clevertap.com".

This validation can be bypassed by an attacker who uses a crafted subdomain, allowing malicious scripts to be executed via window.postMessage.

Impact Analysis

This DOM-based XSS vulnerability can allow an attacker to execute arbitrary scripts in the context of the affected web application.

  • Steal sensitive user information such as cookies or session tokens.
  • Perform actions on behalf of the user without their consent.
  • Potentially deface the website or redirect users to malicious sites.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26862. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart