CVE-2026-8766

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Kilo-Org kilocode versions prior to 7.0.48

Description A flaw in the Environment Variable Handler component allows remote information disclosure. The issue exists within the Load() function located in the packages/opencode/src/config/config.ts file. An attacker can trigger this by manipulating the KILO CONFIG CONTENT argument.

Recommendations Update to a version newer than 7.0.47. As a temporary workaround, restrict or monitor the use of the KILO CONFIG CONTENT argument to minimize the risk of information disclosure.

Exploit

Fix

Information Disclosure

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-284

Related Identifiers

CVE-2026-8766

GHSA-RPC6-9C4P-J5CG

Affected Products

Kilo Code

CVE-2026-8766

Weakness Enumeration

Related Identifiers

Affected Products

References · 12