Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Kiro IDE

Source -

CNA

CNA CVEs -

4

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
4Vulnerabilities found
CVE-2026-10591
Assigner-Amazon
ShareView Details
Assigner-Amazon
CVSS Score-8.6||HIGH
EPSS-0.08% / 24.48%
||
7 Day CHG+0.01%
Published-02 Jun, 2026 | 15:34
Updated-05 Jun, 2026 | 17:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths

Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open. To remediate this issue, users should upgrade to Kiro IDE version 0.11 or later.

Action-Not Available
Vendor-amazonAWS
Product-kiro_ideKiro IDE
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2026-5429
Assigner-Amazon
ShareView Details
Assigner-Amazon
CVSS Score-7.1||HIGH
EPSS-0.03% / 9.72%
||
7 Day CHG+0.01%
Published-02 Apr, 2026 | 18:37
Updated-03 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme

Unsanitized input during web page generation in the Kiro Agent webview in Kiro IDE before version 0.8.140 allows a remote unauthenticated threat actor to execute arbitrary code via a potentially damaging crafted color theme name when a local user opens the workspace. This issue requires the user to trust the workspace when prompted. To remediate this issue, users should upgrade to version 0.8.140.

Action-Not Available
Vendor-AWS
Product-Kiro IDE
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-4295
Assigner-Amazon
ShareView Details
Assigner-Amazon
CVSS Score-8.5||HIGH
EPSS-0.03% / 8.77%
||
7 Day CHG~0.00%
Published-17 Mar, 2026 | 19:11
Updated-18 Mar, 2026 | 14:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary code execution via crafted project files in Kiro IDE

Improper trust boundary enforcement in Kiro IDE before version 0.8.0 on all supported platforms might allow a remote unauthenticated threat actor to execute arbitrary code via maliciously crafted project directory files that bypass workspace trust protections when a local user opens the directory. To remediate this issue, users should upgrade to version 0.8.0 or higher.

Action-Not Available
Vendor-AWS
Product-Kiro IDE
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2026-0830
Assigner-Amazon
ShareView Details
Assigner-Amazon
CVSS Score-8.4||HIGH
EPSS-0.01% / 0.65%
||
7 Day CHG-0.01%
Published-09 Jan, 2026 | 21:10
Updated-28 Apr, 2026 | 17:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection in Kiro GitLab Merge Request Helper

Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces. To mitigate, users should update to the latest version.

Action-Not Available
Vendor-amazonAWS
Product-kiro_ideKiro IDE
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')