Primary

Context

Kiro IDE Webview Unsanitized Input Vulnerability Allowing Arbitrary Code Execution

Vulnerability

A vulnerability in Kiro IDE's webview component of the Kiro Agent, prior to version 0.8.140, allows remote, unauthenticated execution of arbitrary code. This issue arises from unsanitized input during web page generation, where a crafted color theme name can be used to execute malicious code when a local user opens the workspace. The vulnerability requires the user to trust the workspace when prompted.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system.

Remediation

Users are advised to upgrade to Kiro IDE version 0.8.140 or later. Instructions for updating can be found in the Kiro IDE Changelog.

Added: Apr 2, 2026, 8:18 PM

Updated: Apr 2, 2026, 8:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

4.2

remediation

0.0

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

4.2

remediation

0.0

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Kiro IDE Webview Unsanitized Input Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating