CVE-2026-5429 in AWS Kiro IDEinfo

Summary

Unsanitized input during web page generation in the Kiro Agent webview in Kiro IDE before version 0.8.140 allows a remote unauthenticated threat actor to execute arbitrary code via a potentially damaging crafted color theme name when a local user opens the workspace. This issue requires the user to trust the workspace when prompted.

To remediate this issue, users should upgrade to version 0.8.140.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Responsible

AMZN

Reservation

04/02/2026

Disclosure

04/02/2026

Status

Confirmed

Entries

VulDB provides additional information and datapoints for this CVE:

IDVulnerabilityCWEExpCouCVE
355028Amazon AWS Kiro IDE Kiro Agent Webview cross site scripting79Not definedOfficial fixCVE-2026-5429

Description

CPE

CWE

CVSS

Exploits

History

Diff

Relate

Threat Intelligence

API JSON

API XML

API CSV

Sources

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!