{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23636", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-14T16:08:37.483Z", "datePublished": "2026-03-25T16:58:36.194Z", "dateUpdated": "2026-03-27T14:56:49.566Z"}, "containers": {"cna": {"title": "Kiteworks Secure Data Forms is vulnerable to an Unrestricted Upload of File with Dangerous Type", "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-cfv8-p3hq-8wmm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-cfv8-p3hq-8wmm"}], "affected": [{"vendor": "kiteworks", "product": "Secure Data Forms", "versions": [{"version": "< 9.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T16:58:36.194Z"}, "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, the manager of a form could potentially exploit an Unrestricted Upload of File with Dangerous Type due to a missing validation. Upgrade Kiteworks to version 9.2.1 or later to receive a patch."}], "source": {"advisory": "GHSA-cfv8-p3hq-8wmm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T14:56:42.752629Z", "id": "CVE-2026-23636", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:56:49.566Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23636", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T14:56:42.752629Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:56:45.803Z"}}], "cna": {"title": "Kiteworks Secure Data Forms is vulnerable to an Unrestricted Upload of File with Dangerous Type", "source": {"advisory": "GHSA-cfv8-p3hq-8wmm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "kiteworks", "product": "Secure Data Forms", "versions": [{"status": "affected", "version": "< 9.2.1"}]}], "references": [{"url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-cfv8-p3hq-8wmm", "name": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-cfv8-p3hq-8wmm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, the manager of a form could potentially exploit an Unrestricted Upload of File with Dangerous Type due to a missing validation. Upgrade Kiteworks to version 9.2.1 or later to receive a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T16:58:36.194Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23636", "state": "PUBLISHED", "dateUpdated": "2026-03-27T14:56:49.566Z", "dateReserved": "2026-01-14T16:08:37.483Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T16:58:36.194Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:accellion:kiteworks:*:*:*:*:*:*:*:*", "matchCriteriaId": "30A78D6E-2376-4B2C-B4AD-499D1DF88E34", "versionEndExcluding": "9.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, the manager of a form could potentially exploit an Unrestricted Upload of File with Dangerous Type due to a missing validation. Upgrade Kiteworks to version 9.2.1 or later to receive a patch."}, {"lang": "es", "value": "Kiteworks es una red de datos privada (PDN). En Kiteworks Secure Data Forms anteriores a la versi\u00f3n 9.2.1, el gestor de un formulario podr\u00eda potencialmente explotar una carga de archivo sin restricciones de tipo peligroso debido a una validaci\u00f3n faltante. Actualice Kiteworks a la versi\u00f3n 9.2.1 o posterior para recibir un parche."}], "id": "CVE-2026-23636", "lastModified": "2026-03-27T19:13:44.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T17:16:35.660", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-cfv8-p3hq-8wmm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Secure Data Forms", "source": "cna", "vendor": "kiteworks"}, "product": "secure_data_forms", "vendor": "kiteworks"}], "analysis": {"en": {"generated_at": "2026-03-27T20:28:21.306146+00:00", "value": {"mitigation_remediation": ["Upgrade Kiteworks to version 9.2.1 or later"], "summary": {"action": "Immediate Patch", "impact": "Potential Remote Code Execution via Unrestricted File Upload"}, "threat_synthesis": {"affected_systems": "Kiteworks Secure Data Forms from Accellion is affected. Any deployment of the product that is running a version earlier than 9.2.1 is susceptible, including versions 9.0.x, 9.1.x, and other earlier releases. The advisory specifically applies to form managers who can configure forms within the application.", "description_and_impact": "The vulnerability is a missing validation that allows a form manager to upload files of any type, including dangerous executables, to Kiteworks Secure Data Forms. Because the upload control accepts any MIME type or file extension, an attacker could place a malicious script or binary as part of a form's resources. This increases the risk that the uploaded content could be executed by the system or used by subsequent users, leading to compromise of confidentiality, integrity, or availability. The weakness is identified as CWE-434, an unrestricted upload of files with dangerous types.", "risk_and_exploitability": "The CVSS score of 5.5 indicates a medium severity vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication as a form manager and depends on the ability to upload a file that the system later processes or executes. Because the attack vector is restricted to users with management rights, the attack surface is limited, but if compromised credentials are involved, the risk of code execution or data exfiltration is significant."}}}}, "created": "2026-03-25T21:46:42.629900+00:00", "updated": "2026-03-29T20:28:20.890365+00:00", "vendors": ["kiteworks", "kiteworks$PRODUCT$secure_data_forms"]}