CVE-2026-59859
Kiota: Code Generation Literal Injection in the PHP Generator
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.4, Kiota's PHP generator embedded OpenAPI description, default fields, property names, and other schema-derived strings into PHP double-quoted literals through SanitizeDoubleQuote() in Writers/StringExtensions.cs without escaping $, allowing attacker-controlled ${...}, $var, or {$obj->prop} interpolation constructs to inject arbitrary PHP code into generated model and request-builder classes. This issue is fixed in version 1.32.4.
| CWE | CWE-94 |
| Vendor | microsoft |
| Product | kiota |
| Ecosystems | |
| Industries | TechnologyEnterprise |
| Published | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for microsoft kiota
Be the first to know when new unknown vulnerabilities affecting microsoft kiota are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
microsoft / kiota
< 1.32.4
References
github.com: https://github.com/microsoft/kiota/security/advisories/GHSA-jqwh-526h-c92j github.com: https://github.com/microsoft/kiota/pull/7863 github.com: https://github.com/microsoft/kiota/commit/5e2a211ac4261988fbdc72c3b268596ea8837b87 github.com: https://github.com/microsoft/kiota/releases/tag/v1.32.4