Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme

Description

Unsanitized input during web page generation in the Kiro Agent webview in Kiro IDE before version 0.8.140 allows a remote unauthenticated threat actor to execute arbitrary code via a potentially damaging crafted color theme name when a local user opens the workspace. This issue requires the user to trust the workspace when prompted. To remediate this issue, users should upgrade to version 0.8.140.

Affected Products

Vendor	Product	Versions
amazon web services	Kiro IDE	0.1, 0.8.139

References

https://aws.amazon.com/security/security-bulletins/2026-012-aws/(vendor-advisory)
https://kiro.dev/changelog/ide/0-8/#patch-0-8-140(release-notes)

Related News (1 articles)

Tier C

VulDB5d ago

CVE-2026-5429 | Amazon AWS Kiro IDE up to 0.8.139 Kiro Agent Webview cross site scripting

→ No new info (linked only)

CVSS 3.17.8 MEDIUM

VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

0.8.140

CWECWE-79

PublishedApr 2, 2026

Last enriched5d agov2

Trending Score15

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

Version History

Last enriched 5d ago

v2Tier C5d ago

Updated product name to Kiro IDE, affected versions to 0.8.139, severity to MEDIUM, and noted that no exploit exists.

productaffectedVersionsseverity

via VulDB

v15d ago

Initial creation

Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (2)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History