Script Injection Vulnerability in Kiteworks Email Protection Gateway
CVE-2026-28272

8.1HIGH

Key Information:

Vendor: Kiteworks
Status: Security-advisories
Vendor: CVE Published:; 27 February 2026

What is CVE-2026-28272?

Kiteworks Email Protection Gateway, prior to version 9.2.0, is susceptible to a script injection vulnerability that allows authenticated administrators to inject malicious scripts through the configuration interface. When users interact with the affected user interface, the stored scripts can be executed, potentially compromising the integrity and security of the application. Version 9.2.0 includes a patch that addresses this critical security flaw.

Affected Version(s)

security-advisories < 9.2.0

References

https://github.com/kiteworks/security-advisories/security...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 27, 2026
Vulnerability Reserved
Feb 26, 2026

CVE-2026-28272 Data

JSON