CVE-2026-26862

Published: Feb 27, 2026

Modified: Feb 27, 2026

PUBLISHED

Description

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/CleverTap/clevertap-web-sdk/issues/442

https://github.com/CleverTap/clevertap-web-sdk/pull/417

https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/modules/visualBuilder/pageBuilder.js#L56-L60

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-26862

Description

Affected Products

References