CVE-2026-39107
XSS in Kimi AI v1.0 Preview Feature
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary JavaScript execution in a victim's browser session via a Cross Site Scripting (XSS) flaw in the Kimi AI v1.0 'Preview' feature.
Such XSS vulnerabilities can lead to unauthorized access to user data, session hijacking, or data exfiltration, which may result in violations of data protection regulations like GDPR or HIPAA if personal or sensitive information is compromised.
Therefore, this vulnerability could negatively impact compliance with standards that require protection of user data and secure handling of personal information.
Can you explain this vulnerability to me?
CVE-2026-39107 is a Cross-Site Scripting (XSS) vulnerability in the Kimi AI v1.0 web interface's 'Preview' feature.
The application fails to properly sanitize or encode HTML/JavaScript payloads generated by the AI model.
When a user switches to the 'Preview' tab to view AI-generated code, any malicious payload embedded in the code is rendered directly into the Document Object Model (DOM), leading to arbitrary JavaScript execution in the victim's browser session.
An attacker can exploit this by tricking the AI into generating code containing malicious scripts, which execute immediately when the victim views the 'Preview' tab.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session when they view the 'Preview' tab.
Potential impacts include theft of sensitive information such as cookies or session tokens, unauthorized actions performed on behalf of the user, and possible compromise of the user's account or data.
Since the malicious payload executes immediately upon viewing the preview, users are at risk simply by interacting with the affected feature.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing the behavior of the 'Preview' tab in Kimi AI v1.0 when AI-generated code containing malicious payloads is rendered. Specifically, if arbitrary JavaScript executes upon switching to the 'Preview' tab, it indicates the presence of the Cross-Site Scripting (XSS) vulnerability.
To detect this on your system, you can attempt to reproduce the issue by logging into Kimi AI v1.0, prompting the AI to generate code with embedded JavaScript payloads (such as alert() or other scripts), and then switching to the 'Preview' tab to see if the payload executes.
There are no specific network commands provided in the resources, but manual testing through the application interface is the primary detection method.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the 'Preview' tab in Kimi AI v1.0 until a patch or fix is applied, as the vulnerability is triggered when viewing AI-generated code in this tab.
Additionally, restrict access to the application to trusted users only, and educate users about the risk of executing untrusted AI-generated code in the 'Preview' feature.
Long-term mitigation requires the application developers to implement proper sanitization and encoding of HTML/JavaScript payloads generated by the AI model before rendering them in the DOM.