CVE-2026-39107: Kimi AI v1.0 Cross-Site Scripting in Preview Feature
Kimi AI v1.0 has a cross-site scripting (XSS) vulnerability in its Preview feature. When the AI generates code and displays it in the Preview tab, the application fails to sanitize the output properly. An attacker can embed malicious JavaScript in AI-generated responses, which then executes in a user's browser with the privileges of that session. This could allow theft of session cookies, unauthorized actions on behalf of the user, or credential harvesting.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
A Cross Site Scripting vulnerability exists in the Kimi AI v1.0 web interface's 'Preview' feature. The application fails to properly sanitize or encode HTML/JavaScript payloads generated by the AI model. When a user switches to the 'Preview' tab to view AI-generated code, the malicious payload is rendered directly into the DOM, leading to arbitrary JavaScript execution in the victim's browser session.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-39107 is a stored or reflected cross-site scripting flaw (CWE-79) in the Kimi AI v1.0 Preview interface. The vulnerability stems from insufficient HTML/JavaScript encoding when rendering AI model outputs to the DOM. An attacker can craft prompts that cause the AI to generate payloads containing unescaped script tags or event handlers. When a victim previews the generated code, the browser executes the injected JavaScript in the user's security context, bypassing the application's intended sandbox or preview isolation. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) reflects network attack surface, low attack complexity, no privilege requirement, but mandatory user interaction to trigger.
Business impact
An attacker leveraging this XSS can impersonate users within the Kimi AI application, access sensitive information visible to the victim's account, modify or delete user data, redirect users to phishing sites, or install malware. In a multi-tenant or enterprise deployment, lateral movement may be possible if the application shares authentication tokens or session state. The reliance on AI-generated code preview suggests developers and technical users are the primary targets, potentially exposing intellectual property or development practices.
Affected systems
Kimi AI v1.0 web interface, specifically the Preview feature used to display AI-generated code. The vulnerability affects all installations and users of this version that access the Preview tab with untrusted or attacker-controlled AI prompts.
Exploitability
Exploitation requires user interaction—a victim must navigate to the Preview tab to render the malicious payload. No authentication bypass or privilege escalation is needed; any user can trigger the XSS. The attack surface is broad (network-accessible) and attack complexity is low. Proof-of-concept is straightforward: inject a prompt containing script tags or event handlers and wait for the victim to preview. The vulnerability is likely trivial to exploit at scale if AI output is not validated.
Remediation
Implement strict output encoding: HTML-encode all AI-generated content before insertion into the DOM, or use textContent instead of innerHTML for dynamic content. Validate and sanitize AI responses server-side prior to storage or transmission. Employ a Content Security Policy (CSP) to restrict inline script execution and limit damage from any XSS that escapes sanitization. Consider a sandboxed iframe for code preview to isolate execution context. Apply input validation on user prompts to reject or neutralize known malicious patterns before feeding them to the AI model.
Patch guidance
Verify the availability of a patched version from the Kimi AI vendor. Check the vendor's security advisory or release notes for v1.0.1 or later that addresses XSS output sanitization in the Preview feature. If no patch is available, request an ETA from the vendor and implement compensating controls (see remediation). Test patches in a non-production environment before deployment to ensure no regression in code preview functionality.
Detection guidance
Monitor for unusual JavaScript patterns in AI-generated code outputs: script tags, event handlers (onload, onerror, onclick), or encoded payloads. Log access to the Preview feature and correlate with suspicious user behavior or anomalous account activity. Use browser developer tools or proxy logs to inspect DOM mutations in the Preview tab. Implement server-side validation logging to flag AI responses containing high-risk HTML/JavaScript constructs. Endpoint detection and response (EDR) tools may detect process spawning or credential access following XSS execution, though XSS often operates silently for session hijacking.
Why prioritize this
Although scored MEDIUM (6.3), this vulnerability merits prompt attention due to user interaction being the only barrier to exploitation and the direct exposure of user sessions. XSS in a code preview tool targets technical users who may have elevated privileges, broader access, or valuable intellectual property. The lack of CISA KEV status does not diminish urgency; active exploitation may not yet be documented. Prioritize if Kimi AI is used for sensitive or proprietary code generation.
Risk score, explained
CVSS 3.1 score of 6.3 (MEDIUM) reflects: network accessibility (AV:N), straightforward attack requiring minimal precondition (AC:L), no privilege requirement (PR:N), but mandatory user interaction (UI:R) to navigate to Preview. Impact is limited to confidentiality, integrity, and availability at the user-session level (S:U, C:L, I:L, A:L)—no system-wide compromise. The score appropriately captures the practical risk: high likelihood of exploitation if an attacker controls prompt input, but confined to individual user sessions rather than server-side compromise.
Frequently asked questions
Can an attacker exploit this without the victim visiting the Preview tab?
No. The vulnerability requires a user to actively click the Preview tab and trigger rendering of the malicious AI-generated payload. However, if an attacker can control the prompts fed to the AI or inject payloads into cached or shared code snippets, they can lure users to preview them.
Does this vulnerability affect the AI model itself or only the web interface?
Only the web interface's Preview feature is affected. The vulnerability is in how the application renders AI output to the user's browser, not in the AI model's training or inference. The AI may generate benign code, but the application fails to sanitize it before display.
What should I do if I cannot patch immediately?
Implement output encoding on all AI-generated content displayed in the Preview tab, apply a strict Content Security Policy to block inline scripts, and educate users to avoid previewing code from untrusted or user-supplied prompts. Monitor account activity for signs of session hijacking or unauthorized actions.
Is this vulnerability exploitable via API endpoints or only the web UI?
The description specifies the web interface's Preview feature. If Kimi AI exposes an API that returns unencoded AI-generated code, similar XSS may exist there; verify with the vendor or conduct API testing.
This analysis is based on the published CVE record and vendor information as of June 2026. No exploit code or weaponized proof-of-concept is provided. Organizations are advised to verify patch availability directly with Kimi AI and to test any updates in non-production environments before deployment. SEC.co does not provide liability for damage arising from the use or misuse of this information. Always consult your security team and vendor advisories before taking remedial action. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1