← volver
CVE-2026-59859highCWE-94

Kiota: Code Generation Literal Injection in the PHP Generator

21Vexday Risk Score

Sin señal de explotación. Ningún artefacto público de explotación conocido hasta ahora.

ssvc Trackcvss 8.7epss 1.0%
probabilidad de explotación
1.0%top 41% de las CVE
explotación observada
noninguna fuente lo reporta
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.4, Kiota's PHP generator embedded OpenAPI description, default fields, property names, and other schema-derived strings into PHP double-quoted literals through SanitizeDoubleQuote() in Writers/StringExtensions.cs without escaping $, allowing attacker-controlled ${...}, $var, or {$obj->prop} interpolation constructs to inject arbitrary PHP code into generated model and request-builder classes. This issue is fixed in version 1.32.4.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Productos afectados
microsoft · kiota