CleverTap/clevertap-web-sdk

CleverTap/clevertap-web-sdk

Releases129

Frequency2 weeks 1 day

Last Release 22 days ago

Stars17

CleverTap Web SDK

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-26861 ↗	Feb 27, 2026Friday, 27 February 2026, 18:16	8.3 HIGH	—
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain
CVE-2026-26862 ↗	Feb 27, 2026Friday, 27 February 2026, 18:16	8.3 HIGH	—
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain