CVE-2026-0830
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-04-28
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | kiro_ide | to 0.6.18 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0830 is a command injection vulnerability in the Kiro GitLab Merge Request Helper within the Kiro IDE versions before 0.6.18. It occurs when a user opens a workspace containing specially crafted folder names that include malicious commands. This allows an attacker to execute arbitrary commands within the Kiro IDE environment. The vulnerability has been fixed in version 0.6.18, and users should update to this or later versions to mitigate the risk. [1]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary command execution on your system through the Kiro IDE when opening a maliciously crafted workspace. This means an attacker could potentially execute harmful commands, leading to compromise of your system's confidentiality, integrity, and availability. The impact includes possible unauthorized access, data loss, or system disruption. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Kiro IDE to version 0.6.18 or later, as this version contains the fix for the command injection issue. [1]