๐Ÿ” CVE Alert

CVE-2026-59865

UNKNOWN 0.0

Kiota: Command injection via x-ms-kiota-info dependencyInstallCommand surfaced by `kiota info`

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, `kiota info` read x-ms-kiota-info.languagesInformation.<language>.dependencyInstallCommand plus dependency name and version values from an OpenAPI description and presented the spec-supplied command as Kiota's recommended install command, allowing an attacker-controlled or compromised description to cause command injection when the suggested command was run manually or through the Kiota VS Code extension's kiota info --json dependency-install flow. This issue is fixed in version 1.32.5.

CWE CWE-94 CWE-829
Vendor microsoft
Product kiota
Ecosystems
Industries
TechnologyEnterprise
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for microsoft kiota

Be the first to know when new unknown vulnerabilities affecting microsoft kiota are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

microsoft / kiota
< 1.32.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/microsoft/kiota/security/advisories/GHSA-hq9q-27g5-qwpj github.com: https://github.com/microsoft/kiota/pull/7883 github.com: https://github.com/microsoft/kiota/commit/e1d6d76c6eecbe50785429166faaf8c831e036c6 github.com: https://github.com/microsoft/kiota/releases/tag/v1.32.5