GCVE - cpe:2.3:a:aws:kiro_ide:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:aws:kiro_ide:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Aws (`e6707f00-6abb-51df-808c-9e3417305027`)
Product	Kiro Ide (`cc80c087-f809-5b03-a206-e5e2e4290f7a`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-5429`	vulnerable	2026-06-03 15:26:27.150798	Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme HIGH (7.8) Unsanitized input during web page generation in the Kiro Agent webview in Kiro IDE before version 0.8.140 allows a remote unauthenticated threat actor to execute arbitrary code via a potentially damaging crafted color theme name when a local user opens the workspace. This issue requires the user to trust the workspace when prompted. To remediate this issue, users should upgrade to version 0.8.140. Published: 2026-04-02T18:37:42.972Z Updated: 2026-04-02T19:22:46.775Z Open on db.gcve.eu Reference links https://aws.amazon.com/security/security-bulletins/2026-012-aws/ https://kiro.dev/changelog/ide/0-8/#patch-0-8-140	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-4295`	vulnerable	2026-06-03 15:26:25.148475	Arbitrary code execution via crafted project files in Kiro IDE HIGH (7.8) Improper trust boundary enforcement in Kiro IDE before version 0.8.0 on all supported platforms might allow a remote unauthenticated threat actor to execute arbitrary code via maliciously crafted project directory files that bypass workspace trust protections when a local user opens the directory. To remediate this issue, users should upgrade to version 0.8.0 or higher. Published: 2026-03-17T19:11:58.702Z Updated: 2026-03-18T14:07:58.063Z Open on db.gcve.eu Reference links https://aws.amazon.com/security/security-bulletins/2026-009-AWS/ https://kiro.dev/changelog/ide/0-8/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-10591`	vulnerable	2026-06-03 15:14:43.587317	Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths HIGH (8.8) Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open. To remediate this issue, users should upgrade to Kiro IDE version 0.11 or later. Published: 2026-06-02T15:34:40.106Z Updated: 2026-06-03T03:56:03.860Z Open on db.gcve.eu Reference links https://kiro.dev/changelog/ide/0-11/ https://aws.amazon.com/security/security-bulletins/2026-037-aws/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-0830`	vulnerable	2026-06-03 15:14:42.939567	Command Injection in Kiro GitLab Merge Request Helper HIGH (7.8) Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces. To mitigate, users should update to the latest version. Published: 2026-01-09T21:10:09.310Z Updated: 2026-01-09T21:18:53.768Z Open on db.gcve.eu Reference links https://kiro.dev/changelog/spec-correctness-and-cli/ https://aws.amazon.com/security/security-bulletins/2026-001-AWS/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.