๐Ÿ” CVE Alert

CVE-2026-59860

UNKNOWN 0.0

Kiota: XML Doc-Comment Newline Breakout Code Injection

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.3, Kiota is affected by a code-generation injection vulnerability in the C# XML documentation-comment sink (the description, externalDocs label, and externalDocs link fields emitted as /// โ€ฆ comments). When text from an OpenAPI description is written into single-line XML doc comments without stripping newline and Unicode line-terminator characters, an attacker can break out of the /// comment line and inject additional code into generated C# clients. This issue is fixed in version 1.32.3.

CWE CWE-94
Vendor microsoft
Product kiota
Ecosystems
Industries
TechnologyEnterprise
Published Jul 16, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for microsoft kiota

Be the first to know when new unknown vulnerabilities affecting microsoft kiota are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

microsoft / kiota
< 1.32.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/microsoft/kiota/security/advisories/GHSA-3hrf-2gc2-mx32 github.com: https://github.com/microsoft/kiota/pull/7831 github.com: https://github.com/microsoft/kiota/commit/ebb632db90aa8e3c20949337d9faa2720d64ca44 github.com: https://github.com/microsoft/kiota/releases/tag/v1.32.3