CVE-2026-8765 Kilo-Org CVE debrief

Who should care

Organizations using Kilo Code extension versions 7.0.0-7.0.47 in Visual Studio Code; security teams monitoring for path traversal vulnerabilities in Bun-based applications; developers maintaining file diff functionality in code review tools

Technical summary

The vulnerability exists in the `Bun.file` function call within `packages/opencode/src/kilocode/review/worktree-diff.ts`. Insufficient validation of the `File` argument allows path traversal sequences to be processed, enabling attackers with low privileges to access files outside the intended directory. The attack is remotely exploitable with low complexity. No integrity or availability impact is indicated per CVSS 4.0 scoring.

Defensive priority

low

Recommended defensive actions

• Upgrade Kilo Code to a version newer than 7.0.47 when available
• Restrict network access to the File Diff API Endpoint to authorized users only
• Implement input validation and sanitization for file path arguments in the worktree-diff.ts component
• Monitor for anomalous file access patterns in the application logs
• Consider deploying Web Application Firewall (WAF) rules to detect and block path traversal attempts

Evidence notes

Vulnerability confirmed in Kilo Code versions 7.0.0 through 7.0.47 per NVD CPE criteria. The affected component is the File Diff API Endpoint using Bun.file function. CVSS 4.0 vector indicates network attack vector, low complexity, low privileges required, with proof-of-concept exploit available.

Official resources