CVE-2026-39107: n/a
CVE-2026-39107 is a Cross Site Scripting (XSS) vulnerability in the Kimi AI v1. 0 web interface's 'Preview' feature. The application does not properly sanitize or encode HTML/JavaScript payloads generated by the AI model. When users switch to the 'Preview' tab, malicious scripts can execute in their browser sessions. There is no information on patches or official remediation. No known exploits are reported in the wild. The vulnerability could allow arbitrary JavaScript execution within the affected application context.
AI Analysis
Technical Summary
This vulnerability involves improper handling of AI-generated content in the Kimi AI v1.0 web interface. Specifically, the 'Preview' feature renders AI-generated HTML/JavaScript payloads directly into the DOM without adequate sanitization or encoding. This results in a Cross Site Scripting (XSS) flaw that enables arbitrary JavaScript execution in the victim's browser when viewing the 'Preview' tab. No CVSS score or patch information is available, and no known exploits have been reported.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session when using the 'Preview' feature. This can lead to session hijacking, data theft, or other malicious actions limited to the privileges of the web application user. The impact is confined to users interacting with the vulnerable feature.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users and administrators should avoid using the 'Preview' feature with untrusted AI-generated content. Implementing input sanitization or disabling the feature may reduce risk.
CVE-2026-39107: n/a
Description
CVE-2026-39107 is a Cross Site Scripting (XSS) vulnerability in the Kimi AI v1. 0 web interface's 'Preview' feature. The application does not properly sanitize or encode HTML/JavaScript payloads generated by the AI model. When users switch to the 'Preview' tab, malicious scripts can execute in their browser sessions. There is no information on patches or official remediation. No known exploits are reported in the wild. The vulnerability could allow arbitrary JavaScript execution within the affected application context.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves improper handling of AI-generated content in the Kimi AI v1.0 web interface. Specifically, the 'Preview' feature renders AI-generated HTML/JavaScript payloads directly into the DOM without adequate sanitization or encoding. This results in a Cross Site Scripting (XSS) flaw that enables arbitrary JavaScript execution in the victim's browser when viewing the 'Preview' tab. No CVSS score or patch information is available, and no known exploits have been reported.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session when using the 'Preview' feature. This can lead to session hijacking, data theft, or other malicious actions limited to the privileges of the web application user. The impact is confined to users interacting with the vulnerable feature.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users and administrators should avoid using the 'Preview' feature with untrusted AI-generated content. Implementing input sanitization or disabling the feature may reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-04-06T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a20657ce29bf47b50d4101d
Added to database: 6/3/2026, 5:33:48 PM
Last enriched: 6/3/2026, 5:48:36 PM
Last updated: 6/3/2026, 6:46:38 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.