CVE-2026-8765 - Vulnerability Details

- Kilo-Org kilocode File Diff API Endpoint worktree-diff.ts Bun.file path traversal

Description

A vulnerability was detected in Kilo-Org kilocode up to 7.0.47. This vulnerability affects the function Bun.file of the file packages/opencode/src/kilocode/review/worktree-diff.ts of the component File Diff API Endpoint. Performing a manipulation of the argument File results in path traversal. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-05-17

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a path traversal flaw in the Kilocode File Diff API Endpoint, specifically in the Bun.file function used by opencode/src/kilocode/review/worktree-diff.ts. By supplying a crafted file argument, an attacker can read arbitrary files on the server’s file system. This flaw maps to CWE-22 and carries a CVSS score of 5.3, indicating a moderate level of severity. The exploit is publicly available and can be used from a remote source because the affected API endpoint is reachable over the network.

Affected Systems

Kilo-Org kilocode versions up to and including 7.0.47 are affected. No specific sub‑release information is provided, so any deployment of 7.0.47 or earlier is considered vulnerable.

Risk and Exploitability

The flaw allows remote actors to read sensitive files by manipulating the File argument in API calls. No KEV entry is currently assigned, and EPSS data is unavailable, so the precise exploitation probability cannot be quantified. Nevertheless, the publicly disclosed exploit and the remote nature of the attack suggest that the vulnerability is exploitable under normal conditions. Scanners that identify the vulnerable API should be considered at risk until mitigated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Kilo-Org

kilocode

affected

Version	Status	Constraints
`7.0.0`	affected	—
`7.0.1`	affected	—
`7.0.2`	affected	—
`7.0.3`	affected	—
`7.0.4`	affected	—
`7.0.5`	affected	—
`7.0.6`	affected	—
`7.0.7`	affected	—
`7.0.8`	affected	—
`7.0.9`	affected	—
`7.0.10`	affected	—
`7.0.11`	affected	—
`7.0.12`	affected	—
`7.0.13`	affected	—
`7.0.14`	affected	—
`7.0.15`	affected	—
`7.0.16`	affected	—
`7.0.17`	affected	—
`7.0.18`	affected	—
`7.0.19`	affected	—
`7.0.20`	affected	—
`7.0.21`	affected	—
`7.0.22`	affected	—
`7.0.23`	affected	—
`7.0.24`	affected	—
`7.0.25`	affected	—
`7.0.26`	affected	—
`7.0.27`	affected	—
`7.0.28`	affected	—
`7.0.29`	affected	—
`7.0.30`	affected	—
`7.0.31`	affected	—
`7.0.32`	affected	—
`7.0.33`	affected	—
`7.0.34`	affected	—
`7.0.35`	affected	—
`7.0.36`	affected	—
`7.0.37`	affected	—
`7.0.38`	affected	—
`7.0.39`	affected	—
`7.0.40`	affected	—
`7.0.41`	affected	—
`7.0.42`	affected	—
`7.0.43`	affected	—
`7.0.44`	affected	—
`7.0.45`	affected	—
`7.0.46`	affected	—
`7.0.47`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Kilocode patch that addresses the path traversal flaw.
If a patch is not yet available, block external access to the File Diff API endpoint or use network‑level controls to restrict reachability from untrusted hosts.
Enforce strict filesystem permissions and implement a whitelist of allowed paths so that the Bun.file function cannot resolve paths outside the intended directory.
Monitor web server and application logs for abnormal file access attempts and alert on suspicious patterns.

Generated by OpenCVE AI on May 17, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://gist.github.com/YLChen-007/1770f4530b0c933dc61f15b02aa0629d
https://vuldb.com/submit/811401
https://vuldb.com/vuln/364390
https://vuldb.com/vuln/364390/cti

History

Sun, 17 May 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in Kilo-Org kilocode up to 7.0.47. This vulnerability affects the function Bun.file of the file packages/opencode/src/kilocode/review/worktree-diff.ts of the component File Diff API Endpoint. Performing a manipulation of the argument File results in path traversal. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Kilo-Org kilocode File Diff API Endpoint worktree-diff.ts Bun.file path traversal
First Time appeared		Kilo-org Kilo-org kilocode
Weaknesses		CWE-22
CPEs		cpe:2.3:a:kilo-org:kilocode::::::::
Vendors & Products		Kilo-org Kilo-org kilocode
References		https://gist.github.com/YLChen-007/1770f4530b0c933dc61f15b02aa0629d https://vuldb.com/submit/811401 https://vuldb.com/vuln/364390 https://vuldb.com/vuln/364390/cti
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Kilo-org Kilocode

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-17T22:00:13.413Z

Updated: 2026-05-17T22:00:13.413Z

Reserved: 2026-05-17T08:55:25.121Z

Link: CVE-2026-8765

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-17T23:17:02.480

Modified: 2026-05-17T23:17:02.480

Link: CVE-2026-8765

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-17T23:30:12Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object