CVE-2026-5429 HIGH

CVE-2026-5429: Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme

Vendor Aws

Product Kiro IDE

Weakness CWE-79 · XSS

Published April 2, 2026

Last update April 2, 2026

View on NVD All CVEs

CVSS base score

7.8/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Unsanitized input during web page generation in the Kiro Agent webview in Kiro IDE before version 0.8.140 allows a remote unauthenticated threat actor to execute arbitrary code via a potentially damaging crafted color theme name when a local user opens the workspace. This issue requires the user to trust the workspace when prompted. To remediate this issue, users should upgrade to version 0.8.140.

Key dates

02Disclosure timeline

April 2, 2026 CVE published

April 2, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-5429 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2026-5429: Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme

01Description

02Disclosure timeline

03References

04Related CVE