CVE-2026-8766

4.3 MEDIUM

A flaw has been found in Kilo-Org kilocode up to 7.0.47

Published: 2026-05-17 · Last updated: 2026-05-20

Severity and scoring

CVSS: 4.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-200, CWE-284

Affected products

Vendor	Product
kilo	kilo_code_cli

Description

A flaw has been found in Kilo-Org kilocode up to 7.0.47. This issue affects the function Load of the file packages/opencode/src/config/config.ts of the component Environment Variable Handler. Executing a manipulation of the argument KILO_CONFIG_CONTENT can lead to information disclosure. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8766
[Exploit reference]https://gist.github.com/YLChen-007/32b444e49ced1a46bde5a68933ccd09f
[Exploit reference]https://vuldb.com/submit/811400
[Other]https://vuldb.com/vuln/364391
[Other]https://vuldb.com/vuln/364391/cti

Related CVEs

Same vendor

CVE-2026-8765 — A vulnerability was detected in Kilo-Org kilocode up to 7.0.47 (4.3 MEDIUM)

Same CWE

CVE-2026-12117 — Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to ...
CVE-2026-12320 — Information disclosure in the Password Manager component (4.3 MEDIUM)
CVE-2026-12311 — Information disclosure, sandbox escape in the Security: Process Sandboxing component (4.7 MEDIUM)
CVE-2026-47261 — Wasmtime is a runtime for WebAssembly (7.5 HIGH)
CVE-2026-50892 — Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attacke... (6.5 MEDIUM)