{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23636", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-14T16:08:37.483Z", "datePublished": "2026-03-25T16:58:36.194Z", "dateUpdated": "2026-03-25T16:58:36.194Z"}, "containers": {"cna": {"title": "Kiteworks Secure Data Forms is vulnerable to an Unrestricted Upload of File with Dangerous Type", "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-cfv8-p3hq-8wmm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-cfv8-p3hq-8wmm"}], "affected": [{"vendor": "kiteworks", "product": "Secure Data Forms", "versions": [{"version": "< 9.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T16:58:36.194Z"}, "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, the manager of a form could potentially exploit an Unrestricted Upload of File with Dangerous Type due to a missing validation. Upgrade Kiteworks to version 9.2.1 or later to receive a patch."}], "source": {"advisory": "GHSA-cfv8-p3hq-8wmm", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, the manager of a form could potentially exploit an Unrestricted Upload of File with Dangerous Type due to a missing validation. Upgrade Kiteworks to version 9.2.1 or later to receive a patch."}], "id": "CVE-2026-23636", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:35.660", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-cfv8-p3hq-8wmm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Secure Data Forms", "source": "cna", "vendor": "kiteworks"}, "product": "secure_data_forms", "vendor": "kiteworks"}], "analysis": {"en": {"generated_at": "2026-03-25T19:43:58.766468+00:00", "value": {"mitigation_remediation": ["Update Kiteworks to version 9.2.1 or later to receive the vendor supplied fix.", "Confirm the running version after the update.", "If an immediate upgrade is not possible, restrict accepted file types at the application level and enforce strict validation to block files of dangerous types."], "summary": {"action": "Apply Patch", "impact": "Unrestricted File Upload"}, "threat_synthesis": {"affected_systems": "Instances of Kiteworks Secure Data Forms running any version prior to 9.2.1 are affected. The issue resides in the manager component that handles form file uploads. Upgrading to 9.2.1 or later incorporates a fix that correctly validates file types before accepting uploads.", "description_and_impact": "Kiteworks Secure Data Forms allows a form manager to upload files without validating the type. This flaw, classified as CWE\u2011434, permits an attacker to submit a file with a dangerous content type. While the CVE does not confirm execution of code, an attacker could potentially deliver a malicious payload that may be processed by the application, creating risks for confidentiality, integrity, or availability. The vulnerability is limited to the form upload interface and does not affect other components directly.", "risk_and_exploitability": "The CVSS score of 5.5 reflects moderate severity, indicating that the flaw can impact non\u2011privileged users who can access the upload interface. EPSS data is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack path is a simple network request from a user with manager access; an attacker could upload a dangerous file, potentially leading to further compromise if the file is processed or executed by the application."}}}}, "created": "2026-03-25T21:46:42.629900+00:00", "updated": "2026-03-26T11:34:25.665766+00:00", "vendors": ["kiteworks", "kiteworks$PRODUCT$secure_data_forms"]}