A vulnerability was detected in Kilo-Org kilocode up to 7.0.47. This vulnerability affects the function Bun.file of the file packages/opencode/src/kilocode/review/worktree-diff.ts of the component File Diff API Endpoint. Performing a manipulation of the argument File results in path traversal. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
| Link | Resource |
|---|---|
| https://gist.github.com/YLChen-007/1770f4530b0c933dc61f15b02aa0629d | Exploit Third Party Advisory |
| https://vuldb.com/submit/811401 | Exploit Third Party Advisory VDB Entry |
| https://vuldb.com/vuln/364390 | Third Party Advisory VDB Entry |
| https://vuldb.com/vuln/364390/cti | Permissions Required VDB Entry |
Configurations
History
19 May 2026, 21:21
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:kilo:kilo_code:*:*:*:*:*:visual_studio_code:*:* | |
| First Time |
Kilo
Kilo kilo Code |
|
| References | () https://gist.github.com/YLChen-007/1770f4530b0c933dc61f15b02aa0629d - Exploit, Third Party Advisory | |
| References | () https://vuldb.com/submit/811401 - Exploit, Third Party Advisory, VDB Entry | |
| References | () https://vuldb.com/vuln/364390 - Third Party Advisory, VDB Entry | |
| References | () https://vuldb.com/vuln/364390/cti - Permissions Required, VDB Entry |
17 May 2026, 23:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-17 23:17
Updated : 2026-05-19 21:21
NVD link : CVE-2026-8765
Mitre link : CVE-2026-8765
CVE.ORG link : CVE-2026-8765
JSON object : View
Products Affected
kilo
- kilo_code
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')