CVE-2026-26862 | THREATINT

Description

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain

PUBLISHED Reserved 2026-02-16 | Published 2026-02-27 | Updated 2026-02-27 | Assigner mitre

References

github.com/CleverTap/clevertap-web-sdk/issues/442

github.com/CleverTap/clevertap-web-sdk/pull/417

github.com/...1b65d/src/modules/visualBuilder/pageBuilder.js

cve.org (CVE-2026-26862)

nvd.nist.gov (CVE-2026-26862)

Download JSON