CVE-2026-5429
Received Received - Intake
Code Injection via Unsanitized Input in Kiro IDE Webview

Publication date: 2026-04-02

Last updated on: 2026-04-02

Assigner: AMZN

Description
Unsanitized input during web page generation in the Kiro Agent webview in Kiro IDE before version 0.8.140 allows a remote unauthenticated threat actor to execute arbitrary code via a potentially damaging crafted color theme name when a local user opens the workspace. This issue requires the user to trust the workspace when prompted. To remediate this issue, users should upgrade to version 0.8.140.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5429
EUVD
EUVD-2026-18519
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
kiro agent 0.8.140
kiro ide to 0.8.140 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5429 is a vulnerability in the Kiro IDE software, specifically in the Kiro Agent webview component before version 0.8.140. The issue arises because the software does not properly sanitize input during web page generation. This allows a remote unauthenticated attacker to execute arbitrary code by crafting a malicious color theme name. The malicious code executes when a local user opens the workspace and trusts it upon prompt.

Impact Analysis

This vulnerability can lead to arbitrary code execution on the local machine of a user who opens a compromised workspace and trusts it. This means an attacker could potentially run harmful code, leading to unauthorized actions such as data theft, system compromise, or further malware installation.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade Kiro IDE to version 0.8.140 or later.

Additionally, ensure that any forked or derivative code of Kiro IDE includes the patch that fixes this issue.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5429. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart