CVE-2026-39107EPSS p18.4%

CVE-2026-39107CVE-2026-39107

Description

A Cross Site Scripting vulnerability exists in the Kimi AI v1.0 web interface's 'Preview' feature. The application fails to properly sanitize or encode HTML/JavaScript payloads generated by the AI model. When a user switches to the 'Preview' tab to view AI-generated code, the malicious payload is rendered directly into the DOM, leading to arbitrary JavaScript execution in the victim's browser session.

Scoring

CVSS 6.3 ()
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS0.27% probability of exploitation · percentile 18.4% · 2026-06-18T12:00:27Z
Last modified2026-06-04

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-36728
CVE
CVE-2026-30586
CVE
CVE-2026-10510
CVE
CVE-2024-7130
CVE
CVE-2024-13073
CVE
CVE-2026-43900
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.