Kimi AI Cross-Site Scripting Vulnerability in Preview Feature

A Cross-Site Scripting (XSS) vulnerability has been identified in the Kimi AI web interface version 1.0, specifically within the 'Preview' feature. The issue arises because the application does not adequately sanitize or encode HTML and JavaScript payloads generated by the AI model. When users switch to the 'Preview' tab to view AI-generated code, any embedded malicious payloads are rendered directly into the Document Object Model (DOM). This flaw allows for arbitrary execution of JavaScript in the user's browser session.

Impact

Exploitation of this vulnerability allows for stored or stored-like Cross-Site Scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into the Kimi AI web platform and prompt the AI to create a tool, such as an XSS scanner similar to XSStrike, including a list of payloads. Once the AI generates the code, switch to the 'Preview' tab. The preview will render the JavaScript payload embedded in the response, executing it immediately in the browser.