ByteOS Network

NVD Vulnerability Details :

CVE-2026-25046

Awaiting Analysis

Source-security-advisories@github.com

Published At-29 Jan, 2026 | 22:15

Updated At-04 Feb, 2026 | 16:34

Kimi Agent SDK is a set of libraries that expose the Kimi Code (Kimi CLI) agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync() as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $(cmd) could execute arbitrary commands. Note: This vulnerability exists only in the repository's development scripts. The published VSCode extension does not include these files and end users are not affected. This is fixed in version 0.1.6 by replacing execSync with execFileSync using array arguments. As a workaround, ensure .vsix files in the project directory have safe filenames before running publish scripts.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	2.9	LOW	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

Type: Secondary

Version: 3.1

Base score: 2.9

Base severity: LOW

Vector:

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

Weaknesses

CWE ID	Type	Source
CWE-77	Primary	security-advisories@github.com

CWE ID: CWE-77

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/MoonshotAI/kimi-agent-sdk/security/advisories/GHSA-mv58-gxx5-8hj3	security-advisories@github.com	N/A

Hyperlink: https://github.com/MoonshotAI/kimi-agent-sdk/security/advisories/GHSA-mv58-gxx5-8hj3

Source: security-advisories@github.com

Resource: N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History