CVE-2026-24782
Kiteworks Secure Data Forms has a SQL Injection vulnerability
In short
Kiteworks Secure Data Forms has a flaw that allows authenticated users with FormBuilder permissions to inject malicious SQL commands, potentially stealing or modifying other users' form data and system settings.
Technical detail
SQL Injection vulnerability in Kiteworks Secure Data Forms (CVE-2026-24782, CVSS 7.6) exploitable by authenticated attackers with FormBuilder role. Attack vector involves crafted SQL queries through form definition parameters, enabling unauthorized retrieval and modification of other users' form definitions and global configuration data. Mitigation requires upgrade to version 9.3.0 or later.
Summary generated and translated by AI from the official description.
Kiteworks is a private data network (PDN). Prior to version 9.3.0,ultiple SQL Injection vulnerabilities in Kiteworks Secure Data Forms could be exploited by an authenticated attacker with the FormBuilder role to retrieve information on or modify other users' form definitions and some global configuration parameters. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Affected products
kiteworks · Secure Data FormsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →