๐Ÿ” CVE Alert

CVE-2026-59864

UNKNOWN 0.0

Kiota: Path/URL injection into generated Copilot plugin manifest via x-ai-* extensions

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, `kiota plugin add` and `kiota plugin generate` (with `-t APIPlugin`) emitted attacker-controlled static_template.file values from x-ai-adaptive-card and x-ai-capabilities into generated Microsoft 365 Copilot and Teams plugin manifests without path validation, allowing ../, absolute, rooted, UNC, Windows drive, or URI paths in response_semantics.static_template.file to cause path traversal or out-of-package file inclusion when the generated plugin was deployed. This issue is fixed in version 1.32.5.

CWE CWE-22 CWE-829
Vendor microsoft
Product kiota
Ecosystems
Industries
TechnologyEnterprise
Published Jul 16, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for microsoft kiota

Be the first to know when new unknown vulnerabilities affecting microsoft kiota are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

microsoft / kiota
< 1.32.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/microsoft/kiota/security/advisories/GHSA-4jwf-m4wg-8p66 github.com: https://github.com/microsoft/kiota/pull/7892 github.com: https://github.com/microsoft/kiota/commit/9a185994a4e549b7bba3cc2beffb9736aa902e79 github.com: https://github.com/microsoft/kiota/releases/tag/v1.32.5