Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/clevertap-web-sdk@1.15.3
Typenpm
Namespace
Nameclevertap-web-sdk
Version1.15.3
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version1.15.3
Latest_non_vulnerable_version1.15.3
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-dkj6-wnb8-s7ba
vulnerability_id VCID-dkj6-wnb8-s7ba
summary 
CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-26862
reference_id
reference_type
scores
0
value 0.00021
scoring_system epss
scoring_elements 0.06163
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-26862
1
reference_url https://github.com/CleverTap/clevertap-web-sdk
reference_id
reference_type
scores
url https://github.com/CleverTap/clevertap-web-sdk
2
reference_url https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/modules/visualBuilder/pageBuilder.js#L56-L60
reference_id
reference_type
scores
url https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/modules/visualBuilder/pageBuilder.js#L56-L60
3
reference_url https://github.com/CleverTap/clevertap-web-sdk/commit/766f75f0c9082a27eb0b59c9fa4b0d9b19ba3d10
reference_id
reference_type
scores
url https://github.com/CleverTap/clevertap-web-sdk/commit/766f75f0c9082a27eb0b59c9fa4b0d9b19ba3d10
4
reference_url https://github.com/CleverTap/clevertap-web-sdk/commit/84695b726a751614ddc3a4f71382c239c5833e03
reference_id
reference_type
scores
url https://github.com/CleverTap/clevertap-web-sdk/commit/84695b726a751614ddc3a4f71382c239c5833e03
5
reference_url https://github.com/CleverTap/clevertap-web-sdk/issues/442
reference_id
reference_type
scores
url https://github.com/CleverTap/clevertap-web-sdk/issues/442
6
reference_url https://github.com/CleverTap/clevertap-web-sdk/pull/417
reference_id
reference_type
scores
url https://github.com/CleverTap/clevertap-web-sdk/pull/417
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-26862
reference_id CVE-2026-26862
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-26862
8
reference_url https://github.com/advisories/GHSA-jfrq-hj9f-c8qx
reference_id GHSA-jfrq-hj9f-c8qx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jfrq-hj9f-c8qx
fixed_packages
0
url pkg:npm/clevertap-web-sdk@1.15.3
purl pkg:npm/clevertap-web-sdk@1.15.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/clevertap-web-sdk@1.15.3
aliases CVE-2026-26862, GHSA-jfrq-hj9f-c8qx
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dkj6-wnb8-s7ba
1
url VCID-fxft-3dqb-qbb9
vulnerability_id VCID-fxft-3dqb-qbb9
summary 
CleverTap Web SDK  is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-26861
reference_id
reference_type
scores
0
value 9e-05
scoring_system epss
scoring_elements 0.01072
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-26861
1
reference_url https://github.com/CleverTap/clevertap-web-sdk
reference_id
reference_type
scores
url https://github.com/CleverTap/clevertap-web-sdk
2
reference_url https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/util/campaignRender/nativeDisplay.js#L118-L121
reference_id
reference_type
scores
url https://github.com/CleverTap/clevertap-web-sdk/blob/cf1b65d/src/util/campaignRender/nativeDisplay.js#L118-L121
3
reference_url https://github.com/CleverTap/clevertap-web-sdk/commit/84695b726a751614ddc3a4f71382c239c5833e03
reference_id
reference_type
scores
url https://github.com/CleverTap/clevertap-web-sdk/commit/84695b726a751614ddc3a4f71382c239c5833e03
4
reference_url https://github.com/CleverTap/clevertap-web-sdk/issues/424
reference_id
reference_type
scores
url https://github.com/CleverTap/clevertap-web-sdk/issues/424
5
reference_url https://github.com/CleverTap/clevertap-web-sdk/pull/417
reference_id
reference_type
scores
url https://github.com/CleverTap/clevertap-web-sdk/pull/417
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-26861
reference_id CVE-2026-26861
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-26861
7
reference_url https://github.com/advisories/GHSA-j5mf-6rh3-rhgg
reference_id GHSA-j5mf-6rh3-rhgg
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j5mf-6rh3-rhgg
fixed_packages
0
url pkg:npm/clevertap-web-sdk@1.15.3
purl pkg:npm/clevertap-web-sdk@1.15.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/clevertap-web-sdk@1.15.3
aliases CVE-2026-26861, GHSA-j5mf-6rh3-rhgg
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fxft-3dqb-qbb9
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/clevertap-web-sdk@1.15.3