Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.3
CleverTap Web SDK allows hackers to inject malicious code into websites
CVE-2026-26861
GHSA-j5mf-6rh3-rhgg
GHSA-j5mf-6rh3-rhgg
Summary
A security weakness in older versions of the CleverTap Web SDK could allow hackers to inject malicious code into websites, potentially stealing user data or taking control of a site. This affects websites that use the CleverTap Web SDK version 1.15.2 or earlier. To fix this vulnerability, update to the latest version of the CleverTap Web SDK.
What to do
- Update GitHub Actions clevertap-web-sdk to version 1.15.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| GitHub Actions | clevertap-web-sdk | <= 1.15.3 | 1.15.3 |
| clevertap | clevertap_web_sdk | <= 1.15.2 | – |
Original title
CleverTap Web SDK is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function
Original description
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain.
nvd CVSS3.1
8.3
Vulnerability type
CWE-346
CWE-79
Cross-site Scripting (XSS)
- https://nvd.nist.gov/vuln/detail/CVE-2026-26861
- https://github.com/CleverTap/clevertap-web-sdk/commit/84695b726a751614ddc3a4f713...
- https://github.com/advisories/GHSA-j5mf-6rh3-rhgg
- https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/util/campaignRen... Product
- https://github.com/CleverTap/clevertap-web-sdk/issues/424 Exploit Issue Tracking Vendor Advisory
- https://github.com/CleverTap/clevertap-web-sdk/pull/417 Patch
- https://github.com/CleverTap/clevertap-web-sdk Product
Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026