Description

Kimi Agent SDK is a set of libraries that expose the Kimi Code (Kimi CLI) agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync() as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $(cmd) could execute arbitrary commands. Note: This vulnerability exists only in the repository's development scripts. The published VSCode extension does not include these files and end users are not affected. This is fixed in version 0.1.6 by replacing execSync with execFileSync using array arguments. As a workaround, ensure .vsix files in the project directory have safe filenames before running publish scripts.

INFO

Published Date :

2026-01-29T21:37:02.791Z

Last Modified :

2026-02-02T16:35:37.121Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25046 vulnerability.

Vendors Products
Moonshotai
  • Kimi-agent-sdk
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25046.

URL Resource
https://github.com/MoonshotAI/kimi-agent-sdk/security/advisories/GHSA-mv58-gxx5-8hj3 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact