CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage
- Severity:
- High
Description
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains “dashboard.clevertap.
Recommendation
Update the clevertap-web-sdk package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.15.3
- Patched version(s): 1.15.3
References
Related Issues
- CleverTap Web SDK is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function - CVE-2026-26861
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910
- QuestDB UI's Web Console is Vulnerable to Cross-Site Scripting - CVE-2026-0824
- Tags:
- npm
- clevertap-web-sdk
Anything's wrong? Let us know Last updated on March 01, 2026