Description
Unsanitized input during web page generation in the Kiro Agent webview in Kiro IDE before version 0.8.140 allows a remote unauthenticated threat actor to execute arbitrary code via a potentially damaging crafted color theme name when a local user opens the workspace. This issue requires the user to trust the workspace when prompted.

To remediate this issue, users should upgrade to version 0.8.140.
Published: 2026-04-02
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Upgrade
AI Analysis

Impact

Kiro IDE versions prior to 0.8.140 contain a cross‑site scripting flaw in the Kiro Agent webview. Unsanitized color theme names that a workspace developer can provide are written into a dynamically generated web page. An attacker may create a malicious color theme name containing script payloads. When a local user opens a workspace that includes such a theme, the webview will execute the script in the context of the application, allowing arbitrary code to run on the user’s machine. This vulnerability falls under CWE‑79 and can potentially compromise confidentiality, integrity, and availability of the affected system.

Affected Systems

The affected product is Kiro IDE by AWS. All installations running a version earlier than 0.8.140 are vulnerable. No other vendor or product is affected according to the available data.

Risk and Exploitability

The vulnerability carries a CVSS base score of 7.1, indicating a high severity. EPSS data is not available and the issue is not listed in CISA's KEV catalog. Because the flaw requires local user interaction (opening a workspace) but does not require prior authentication, any local user could be coerced, presenting a significant risk. An attacker would need to supply a malicious color theme and get a user to load it; once the user does so, the attacker can execute arbitrary code. The attack vector is effectively remote, luring the user into opening a malicious workspace.

Generated by OpenCVE AI on April 2, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kiro IDE to version 0.8.140 or later.

Generated by OpenCVE AI on April 2, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Aws
Aws kiro Ide
Vendors & Products Aws
Aws kiro Ide

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unsanitized input during web page generation in the Kiro Agent webview in Kiro IDE before version 0.8.140 allows a remote unauthenticated threat actor to execute arbitrary code via a potentially damaging crafted color theme name when a local user opens the workspace. This issue requires the user to trust the workspace when prompted. To remediate this issue, users should upgrade to version 0.8.140.
Title Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Aws Kiro Ide
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-04-02T19:22:46.775Z

Reserved: 2026-04-02T15:46:40.727Z

Link: CVE-2026-5429

cve-icon Vulnrichment

Updated: 2026-04-02T19:22:33.408Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T19:21:37.083

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-5429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:16:38Z

Weaknesses