CleverTap Web SDK allows attackers to inject malicious code

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.3

CleverTap Web SDK allows attackers to inject malicious code

CVE-2026-26862 GHSA-jfrq-hj9f-c8qx GHSA-jfrq-hj9f-c8qx

Summary

The CleverTap Web SDK, used by websites and apps, has a security weakness that could allow hackers to inject malicious code into a user's browser. This could happen if a website using the SDK is visited by a user who has already visited a malicious website. To protect yourself, ensure you're using the latest version of the CleverTap Web SDK.

What to do

Update GitHub Actions clevertap-web-sdk to version 1.15.3.

Affected software

Vendor	Product	Affected versions	Fix available
GitHub Actions	clevertap-web-sdk	<= 1.15.3	1.15.3
clevertap	clevertap_web_sdk	<= 1.15.2	–

Original title

CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage

Original description

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain.

nvd CVSS3.1 8.3

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

CWE-829

Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026