Skip to main content

Kilo-Org Kilocode CVE-2026-8766

| EUVD-2026-30710 LOW
Information Exposure (CWE-200)
2026-05-17 VulDB GHSA-rpc6-9c4p-j5cg
Information Disclosure
2.1
CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
May 17, 2026 - 23:22 NVD
MEDIUM LOW
CVSS changed
May 17, 2026 - 23:22 NVD
4.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 17, 2026 - 23:00 vuln.today

DescriptionNVD

A flaw has been found in Kilo-Org kilocode up to 7.0.47. This issue affects the function Load of the file packages/opencode/src/config/config.ts of the component Environment Variable Handler. Executing a manipulation of the argument KILO_CONFIG_CONTENT can lead to information disclosure. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Information disclosure in Kilo-Org Kilocode versions up to 7.0.47 allows authenticated remote attackers to access sensitive configuration data by manipulating the KILO_CONFIG_CONTENT environment variable through the config.ts Load function. Public exploit code exists (EPSS probability data not provided), enabling low-complexity attacks that expose confidential information without requiring user interaction. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-8766 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy