CVE-2026-26862

Name of the Vulnerable Software and Affected Versions CleverTap Web SDK versions 1.15.2 and earlier

Description The CleverTap Web SDK is susceptible to a DOM-based Cross-Site Scripting (XSS) issue. This occurs due to insufficient origin validation within the Visual Builder module, specifically in the src/modules/visualBuilder/pageBuilder.js file (lines 56-60). The includes() method is used to verify the origin URL, but it can be bypassed with a crafted subdomain. The vulnerability is triggered through the window.postMessage function.

Recommendations Update CleverTap Web SDK to a version later than 1.15.2.