PT-2026-41585 · Kilo Org · Kilo Code
Eric-D
·
Published
2026-05-17
·
Updated
2026-05-19
·
CVE-2026-8765
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Kilo-Org kilocode versions prior to 7.0.48
Description
A path traversal issue exists in the File Diff API Endpoint within the
Bun.file function of the packages/opencode/src/kilocode/review/worktree-diff.ts file. A remote attacker can trigger this by manipulating the File argument.Recommendations
Update to a version later than 7.0.47.
As a temporary workaround, restrict access to the
Bun.file function in the File Diff API Endpoint to minimize the risk of exploitation.Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kilo Code