CVE-2026-26862
Received Received - Intake

DOM-Based XSS in CleverTap Web SDK Visual Builder Module

Vulnerability report for CVE-2026-26862, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-27

Last updated on: 2026-03-03

Assigner: MITRE

Description

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-27
Last Modified
2026-03-03
Generated
2026-07-06
AI Q&A
2026-02-27
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
clevertap clevertap_web_sdk to 1.15.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CleverTap Web SDK version 1.15.2 and earlier has a DOM-based Cross-Site Scripting (XSS) vulnerability in its Visual Builder module.

The vulnerability arises because the origin validation in the file src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to check if the originUrl contains "dashboard.clevertap.com".

This validation can be bypassed by an attacker who uses a crafted subdomain, allowing malicious scripts to be executed via window.postMessage.

Impact Analysis

This DOM-based XSS vulnerability can allow an attacker to execute arbitrary scripts in the context of the affected web application.

  • Steal sensitive user information such as cookies or session tokens.
  • Perform actions on behalf of the user without their consent.
  • Potentially deface the website or redirect users to malicious sites.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26862. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart