CVE-2026-8766 Kilo-Org CVE debrief

Who should care

Administrators and developers using Kilo Code CLI versions 7.0.47 and earlier should care, especially if the tool is used in remotely reachable automation or any workflow where KILO_CONFIG_CONTENT can be influenced by untrusted input.

Technical summary

The NVD record marks the affected CPE as kilo:kilo_code_cli on Node.js with vulnerability coverage through version 7.0.47. The described impact is confidentiality-only information disclosure, consistent with the supplied CVSS 4.0 vector showing network attackability, low privileges required, no user interaction, and no integrity or availability impact. The source corpus also maps the issue to CWE-200 and CWE-284.

Defensive priority

Low overall, but higher priority for exposed or automated deployments because the issue is remotely reachable and the supplied references indicate a public exploit exists.

Recommended defensive actions

• Inventory Kilo Code CLI deployments and confirm whether version 7.0.47 or earlier is installed.
• Restrict and audit any use of KILO_CONFIG_CONTENT; treat it as sensitive input and avoid allowing untrusted parties to influence it.
• Upgrade beyond 7.0.47 once a fixed release is available and verified.
• Monitor for unexpected disclosure of configuration or environment data related to this handler.
• Review the linked NVD and VulDB references for any vendor updates or compensating guidance.

Evidence notes

Primary facts come from the supplied CVE description and the NVD record. The description states that manipulating KILO_CONFIG_CONTENT can lead to information disclosure and that remote attack is possible. The NVD metadata lists the vulnerable CPE as kilo:kilo_code_cli through 7.0.47 and includes references tagged as Exploit and Third Party Advisory. The weaknesses section cites CWE-200 and CWE-284, supporting the confidentiality and authorization themes in the advisory.

Official resources