CVE-2026-8766

MEDIUM

Kilo-Org kilocode Environment Variable config.ts load information disclosure

Title source: cna

Description

A flaw has been found in Kilo-Org kilocode up to 7.0.47. This issue affects the function Load of the file packages/opencode/src/config/config.ts of the component Environment Variable Handler. Executing a manipulation of the argument KILO_CONFIG_CONTENT can lead to information disclosure. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-364391 | Kilo-Org kilocode Environment Variable config.ts load information disclosure

https://vuldb.com/vuln/364391

Signature, Permissions Required signature permissions-required

VDB-364391 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/364391/cti

Third Party Advisory third-party-advisory

Submit #811400 | Kilo-Org kilocode 7.0.47 Arbitrary File Read (CWE-200)

https://vuldb.com/submit/811400

Exploit exploit

https://gist.github.com/YLChen-007/32b444e49ced1a46bde5a68933ccd09f

Scores

CVSS v3 4.3

EPSS 0.0032

EPSS Percentile 23.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-200 CWE-284

Status published

Products (50)

kilo/kilo_code 7.0.0 - 7.0.47

kilo/kilo_code_cli < 7.0.47

Kilo-Org/kilocode 7.0.0

Kilo-Org/kilocode 7.0.1

Kilo-Org/kilocode 7.0.10

Kilo-Org/kilocode 7.0.11

Kilo-Org/kilocode 7.0.12

Kilo-Org/kilocode 7.0.13

Kilo-Org/kilocode 7.0.14

Kilo-Org/kilocode 7.0.15

... and 40 more

Published May 17, 2026

Tracked Since May 18, 2026