PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-70365 Kiamo CVE debrief

A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due to improper output encoding of user-supplied input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript code that is executed in the browser of users viewing the affected pages. This stored XSS vulnerability has a CVSS score of 5.4, indicating Medium severity. Users of Kiamo before version 8.4 should apply the fix to prevent exploitation. The Supplier claims a fix was already released for the 8.3.1 branch before the CVE Record was published.

Vendor
Kiamo
Product
Kiamo
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-09
Original CVE updated
2026-07-05
Advisory published
2026-04-09
Advisory updated
2026-07-05

Who should care

Users of Kiamo before version 8.4 should apply the fix to prevent exploitation of this stored cross-site scripting (XSS) vulnerability. This includes administrators and security teams responsible for managing Kiamo installations. The vulnerability requires administrative access to exploit but can have significant impacts if exploited. Security teams should prioritize patching and monitor for suspicious activity.

Technical summary

The vulnerability exists due to improper output encoding of user-supplied input in administrative interfaces of Kiamo before 8.4. An authenticated administrative user can inject arbitrary JavaScript code that is executed in the browser of users viewing the affected pages. This issue requires administrative access to exploit, increasing the difficulty but not eliminating the risk. The CVSS score of 5.4 reflects the Medium severity of this vulnerability.

Defensive priority

Medium-High priority given the CVSS score of 5.4, the requirement for administrative access to exploit, and the potential impact of successful exploitation.

Recommended defensive actions

  • Apply the fix from the vendor for Kiamo version 8.4 or later.
  • Inventory and update affected Kiamo installations.
  • Monitor administrative interfaces for suspicious activity.
  • Implement compensating controls such as web application firewalls.
  • Restrict administrative access to trusted users.

Evidence notes

The CVE record was published on 2026-04-09T16:16:25.707Z and last modified on 2026-07-05T02:17:38.950Z. The Supplier claims a fix was already released for the 8.3.1 branch before the CVE Record was published. Evidence is limited to CVE and NVD details. Defenders should verify Kiamo versions, check for administrative interface exposure, and monitor for suspicious JavaScript activity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-09T16:16:25.707Z and has not been modified since then.