CVE-2026-8766 is a low-severity information disclosure issue in Kilo Code CLI up to 7.0.47. The supplied description says the vulnerable code path is the Load function in packages/opencode/src/config/config.ts, within the Environment Variable Handler component, and that manipulating KILO_CONFIG_CONTENT can disclose information remotely. The CVE record also references a public exploit and notes that the ve [truncated]
A path traversal vulnerability exists in Kilo-Org kilocode versions up to and including 7.0.47. The vulnerability resides in the `Bun.file` function within `packages/opencode/src/kilocode/review/worktree-diff.ts`, specifically affecting the File Diff API Endpoint. An attacker can manipulate the `File` argument to achieve path traversal, potentially allowing unauthorized file access. The attack vector is n [truncated]