CVE-2026-5429 | THREATINT

Description

Unsanitized input during web page generation in the Kiro Agent webview in Kiro IDE before version 0.8.140 allows a remote unauthenticated threat actor to execute arbitrary code via a potentially damaging crafted color theme name when a local user opens the workspace. This issue requires the user to trust the workspace when prompted. To remediate this issue, users should upgrade to version 0.8.140.

PUBLISHED Reserved 2026-04-02 | Published 2026-04-02 | Updated 2026-04-02 | Assigner AMZN

HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

HIGH: 7.1CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')

Product status

Default status

unaffected

0.1 (custom) before 0.8.140

affected

References

aws.amazon.com/security/security-bulletins/2026-012-aws/ vendor-advisory

kiro.dev/changelog/ide/0-8/ release-notes

cve.org (CVE-2026-5429)

nvd.nist.gov (CVE-2026-5429)

Download JSON