PULSE
EN VIVO37señales / 24h
FEED
ransomgunra reclama a Dissinger and Dissinger Law Firm · US · Business Servicesransomplay reclama a Boston Electric and Telephone · US · Telecommunicationransomplay reclama a Wring Group · GB · Not Foundransomincransom reclama a asa-international.com · GB · Business Servicesransomplay reclama a AG Scholtes · NL · Manufacturingransomplay reclama a Andorra Life · AD · Healthcareransomplay reclama a Svensk Direktreklam · SE · Business Servicesransomchaos reclama a radiax.com · US · Technologyransominterlock reclama a Converting Equipment International · GB · Manufacturingransomblack x reclama a sanaa · YE · Not Foundransomthegentlemen reclama a Tangram Interiors · GB · Business Servicesransomthegentlemen reclama a BRAC · BD · Business Servicesransomthegentlemen reclama a Customs Watch · US · Public Sectorransomthegentlemen reclama a Gallant · FI · Not Foundransomgunra reclama a Dissinger and Dissinger Law Firm · US · Business Servicesransomplay reclama a Boston Electric and Telephone · US · Telecommunicationransomplay reclama a Wring Group · GB · Not Foundransomincransom reclama a asa-international.com · GB · Business Servicesransomplay reclama a AG Scholtes · NL · Manufacturingransomplay reclama a Andorra Life · AD · Healthcareransomplay reclama a Svensk Direktreklam · SE · Business Servicesransomchaos reclama a radiax.com · US · Technologyransominterlock reclama a Converting Equipment International · GB · Manufacturingransomblack x reclama a sanaa · YE · Not Foundransomthegentlemen reclama a Tangram Interiors · GB · Business Servicesransomthegentlemen reclama a BRAC · BD · Business Servicesransomthegentlemen reclama a Customs Watch · US · Public Sectorransomthegentlemen reclama a Gallant · FI · Not Found
← Todos los CVEs
CVE Watch16 jul 2026

CVE-2026-59867

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota resolved OpenAPI $ref values by fetching remote http(s) URLs an

CVSS

7.1

Alto

EPSS

KEV

Exploit Today

0

0-100

Publicado: 16 jul 2026 · Última mod.: 16 jul 2026 · CWE-22 · CWE-829 · CWE-918

EPSS · 30d

Sin historial EPSS suficiente todavía.

Descripción técnica

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota resolved OpenAPI $ref values by fetching remote http(s) URLs and reading local absolute or out-of-tree file paths, allowing `kiota generate` on an attacker-controlled or attacker-influenced description to perform build-time SSRF, remote file inclusion, and local file inclusion by inlining external schemas such as REMOTE_KIOTA_PROP or Leaked into generated clients. This issue is fixed in version 1.32.5 by AllowedExternalOriginsStreamLoader and the --allowed-external-origins option.

Referencias oficiales
CVEs relacionados
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2023-389507.5 ALT
99.7%
KEV80ZKTeco BioTime Path Traversal Vulnerability7d
CVE-2026-202308.6 ALT
98.5%
KEV80Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability15d
CVE-2026-4828210.0 CRÍ
97.9%
KEV79Adobe ColdFusion Path Traversal Vulnerability8d
CVE-2026-1540910.0 CRÍ
66.4%
KEV70SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability20h
CVE-2020-248819.8 CRÍ
99.4%
30SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning.6d
CVE-2026-445788.6 ALT
98.4%
30Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.13h