Skip to main content

Kilocode

2 CVEs product

Monthly

CVE-2026-8766 npm LOW POC Monitor

Information disclosure in Kilo-Org Kilocode versions up to 7.0.47 allows authenticated remote attackers to access sensitive configuration data by manipulating the KILO_CONFIG_CONTENT environment variable through the config.ts Load function. Public exploit code exists (EPSS probability data not provided), enabling low-complexity attacks that expose confidential information without requiring user interaction. The vendor has been unresponsive to disclosure attempts, and no patch release has been confirmed.

Information Disclosure Kilocode
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8765 LOW POC Monitor

Path traversal in Kilo-Org kilocode's File Diff API Endpoint allows authenticated remote attackers to read arbitrary files outside intended directories. Affecting versions up to 7.0.47, the vulnerability exploits insufficient validation of file path arguments in the Bun.file function within the worktree-diff component. Public exploit code exists (EPSS probability and KEV status not provided), and the vendor has not responded to disclosure attempts, leaving users without vendor-confirmed remediation guidance.

Path Traversal Kilocode
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
EPSS 0% CVSS 2.1
LOW POC Monitor

Information disclosure in Kilo-Org Kilocode versions up to 7.0.47 allows authenticated remote attackers to access sensitive configuration data by manipulating the KILO_CONFIG_CONTENT environment variable through the config.ts Load function. Public exploit code exists (EPSS probability data not provided), enabling low-complexity attacks that expose confidential information without requiring user interaction. The vendor has been unresponsive to disclosure attempts, and no patch release has been confirmed.

Information Disclosure Kilocode
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Path traversal in Kilo-Org kilocode's File Diff API Endpoint allows authenticated remote attackers to read arbitrary files outside intended directories. Affecting versions up to 7.0.47, the vulnerability exploits insufficient validation of file path arguments in the Bun.file function within the worktree-diff component. Public exploit code exists (EPSS probability and KEV status not provided), and the vendor has not responded to disclosure attempts, leaving users without vendor-confirmed remediation guidance.

Path Traversal Kilocode
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy