CVE-2026-39107

MEDIUM

Kimi AI 1.0 - Stored Cross-Site Scripting in Preview Feature

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-39107. PoCs published by MGTx2.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-39107, a stored XSS vulnerability in Kimi AI v1.0's 'Preview' feature. It includes a step-by-step exploitation scenario, proof of concept, and a screenshot demonstrating the vulnerability.

Description

A Cross Site Scripting vulnerability exists in the Kimi AI v1.0 web interface's 'Preview' feature. The application fails to properly sanitize or encode HTML/JavaScript payloads generated by the AI model. When a user switches to the 'Preview' tab to view AI-generated code, the malicious payload is rendered directly into the DOM, leading to arbitrary JavaScript execution in the victim's browser session.

Exploits (1)

github WRITEUP 1 stars
by MGTx2 · poc
https://github.com/MGTx2/CVE-2026-39107

This repository provides a detailed technical analysis of CVE-2026-39107, a stored XSS vulnerability in Kimi AI v1.0's 'Preview' feature. It includes a step-by-step exploitation scenario, proof of concept, and a screenshot demonstrating the vulnerability.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Kimi AI v1.0
Auth required
Prerequisites: Access to Kimi AI web platform · Ability to prompt AI to generate malicious code
devstral-2 · analyzed Jun 04, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.3
EPSS 0.0004
EPSS Percentile 14.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Published Jun 03, 2026
Tracked Since Jun 03, 2026