CVE-2026-5429
Code Injection via Unsanitized Input in Kiro IDE Webview
Publication date: 2026-04-02
Last updated on: 2026-04-02
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kiro | agent | 0.8.140 |
| kiro | ide | to 0.8.140 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-5429 is a vulnerability in the Kiro IDE software, specifically in the Kiro Agent webview component before version 0.8.140. The issue arises because the software does not properly sanitize input during web page generation. This allows a remote unauthenticated attacker to execute arbitrary code by crafting a malicious color theme name. The malicious code executes when a local user opens the workspace and trusts it upon prompt.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution on the local machine of a user who opens a compromised workspace and trusts it. This means an attacker could potentially run harmful code, leading to unauthorized actions such as data theft, system compromise, or further malware installation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users should upgrade Kiro IDE to version 0.8.140 or later.
Additionally, ensure that any forked or derivative code of Kiro IDE includes the patch that fixes this issue.