Description
A vulnerability was detected in Kilo-Org kilocode up to 7.0.47. This vulnerability affects the function Bun.file of the file packages/opencode/src/kilocode/review/worktree-diff.ts of the component File Diff API Endpoint. Performing a manipulation of the argument File results in path traversal. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a path traversal flaw in the Kilocode File Diff API Endpoint, specifically in the Bun.file function used by opencode/src/kilocode/review/worktree-diff.ts. By supplying a crafted file argument, an attacker can read arbitrary files on the server’s file system. This flaw maps to CWE-22 and carries a CVSS score of 5.3, indicating a moderate level of severity. The exploit is publicly available and can be used from a remote source because the affected API endpoint is reachable over the network.

Affected Systems

Kilo-Org kilocode versions up to and including 7.0.47 are affected. No specific sub‑release information is provided, so any deployment of 7.0.47 or earlier is considered vulnerable.

Risk and Exploitability

The flaw allows remote actors to read sensitive files by manipulating the File argument in API calls. No KEV entry is currently assigned, and EPSS data is unavailable, so the precise exploitation probability cannot be quantified. Nevertheless, the publicly disclosed exploit and the remote nature of the attack suggest that the vulnerability is exploitable under normal conditions. Scanners that identify the vulnerable API should be considered at risk until mitigated.

Generated by OpenCVE AI on May 17, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Kilocode patch that addresses the path traversal flaw.
  • If a patch is not yet available, block external access to the File Diff API endpoint or use network‑level controls to restrict reachability from untrusted hosts.
  • Enforce strict filesystem permissions and implement a whitelist of allowed paths so that the Bun.file function cannot resolve paths outside the intended directory.
  • Monitor web server and application logs for abnormal file access attempts and alert on suspicious patterns.

Generated by OpenCVE AI on May 17, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:kilo:kilo_code:*:*:*:*:*:visual_studio_code:*:*

Mon, 18 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 18 May 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Kilo
Kilo kilo Code
Vendors & Products Kilo
Kilo kilo Code

Sun, 17 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Kilo-Org kilocode up to 7.0.47. This vulnerability affects the function Bun.file of the file packages/opencode/src/kilocode/review/worktree-diff.ts of the component File Diff API Endpoint. Performing a manipulation of the argument File results in path traversal. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Kilo-Org kilocode File Diff API Endpoint worktree-diff.ts Bun.file path traversal
First Time appeared Kilo-org
Kilo-org kilocode
Weaknesses CWE-22
CPEs cpe:2.3:a:kilo-org:kilocode:*:*:*:*:*:*:*:*
Vendors & Products Kilo-org
Kilo-org kilocode
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Kilo Kilo Code
Kilo-org Kilocode
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-18T12:28:11.436Z

Reserved: 2026-05-17T08:55:25.121Z

Link: CVE-2026-8765

cve-icon Vulnrichment

Updated: 2026-05-18T12:28:07.676Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-17T23:17:02.480

Modified: 2026-05-19T21:21:18.060

Link: CVE-2026-8765

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T10:49:00Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')