CVE-2026-59859

Source
https://cve.org/CVERecord?id=CVE-2026-59859
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59859.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59859
Aliases
  • GHSA-jqwh-526h-c92j
Published
2026-07-16T14:40:27.319Z
Modified
2026-07-18T03:47:44.044377577Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Kiota: Code Generation Literal Injection in the PHP Generator
Details

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.4, Kiota's PHP generator embedded OpenAPI description, default fields, property names, and other schema-derived strings into PHP double-quoted literals through SanitizeDoubleQuote() in Writers/StringExtensions.cs without escaping $, allowing attacker-controlled ${...}, $var, or {$obj->prop} interpolation constructs to inject arbitrary PHP code into generated model and request-builder classes. This issue is fixed in version 1.32.4.

Database specific
{
    "cwe_ids": [
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59859.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/microsoft/kiota

Affected ranges

Type
GIT
Repo
https://github.com/microsoft/kiota
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.32.4"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.16
v0.0.17
v0.0.18
v0.0.19
v0.0.2
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.10.0
v0.11.0
v0.11.1
v0.2.0
v0.2.1
v0.3.0
v0.4.0
v0.5.0
v0.5.1
v0.6.0
v0.7.0
v0.7.1
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.9.0
v1.*
v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.10.0
v1.10.0-preview.202312220001
v1.10.1
v1.11.0
v1.11.0-preview.202401300001
v1.11.1
v1.11.1-preview.202402080001
v1.11.1-preview.202402150001
v1.11.1-preview.202402220001
v1.12
v1.12.0
v1.12.0-preview.202402220002
v1.12.0-preview.202402290001
v1.13.0
v1.13.0-preview.202403210001
v1.13.0-preview.202403280001
v1.14.0
v1.14.0-preview.202404120001
v1.14.0-preview.202404180001
v1.14.0-preview.202404250001
v1.15.0
v1.15.0-preview.202405090001
v1.15.0-preview.202405160001
v1.15.0-preview.202405230001
v1.15.0-preview.202405310001
v1.16.0
v1.16.0-preview.202406130001
v1.16.0-preview.202406210001
v1.16.0-preview.202406270001
v1.17.0
v1.17.0-preview.202408010001
v1.18.0
v1.18.0-preview.202408150001
v1.18.0-preview.202408220001
v1.18.0-preview.202408290001
v1.19.0
v1.19.0-preview.202409120001
v1.19.0-preview.202409200001
v1.19.0-preview.202409200002
v1.19.0-preview.202409260001
v1.19.1
v1.2.0
v1.2.1
v1.20.0
v1.20.0-preview.202410100001
v1.20.0-preview.202410180001
v1.20.0-preview.202410240001
v1.21.0
v1.21.0-preview.202411150001
v1.21.0-preview.202411220001
v1.21.0-preview.202411290003
v1.21.0-preview.202411290004
v1.22.0
v1.22.0-preview.202412120001
v1.22.0-preview.202412190001
v1.22.0-preview.202412270001
v1.22.1
v1.22.2
v1.22.3
v1.23.0
v1.23.0-preview.202501310001
v1.24.0
v1.24.0-preview.202502270001
v1.24.0-preview.202503060001
v1.24.1
v1.24.2
v1.24.3
v1.25.1
v1.25.1-preview.202504100001
v1.25.1-preview.202504170001
v1.25.1-preview.202504240001
v1.25.1-preview.202505010001
v1.26.0
v1.26.1
v1.27.0
v1.27.0-preview.202505220001
v1.27.0-preview.202505290001
v1.27.0-preview.202506050001
v1.29.0
v1.3.0
v1.30.0
v1.31.0
v1.31.1
v1.32.0
v1.32.1
v1.32.2
v1.32.3
v1.4.0
v1.5.0
v1.5.0-preview.202307170006
v1.5.0-preview.202307200001
v1.5.0-preview.202307270001
v1.5.0-preview.202308030001
v1.5.1
v1.6.0
v1.6.0-preview.202308240001
v1.6.0-preview.202308310001
v1.6.0-preview.202309070001
v1.6.1
v1.7.0
v1.7.0-preview.202309210001
v1.7.0-preview.202309280001
v1.8.0
v1.8.0-preview.202310120001
v1.8.0-preview.202310190001
v1.8.0-preview.202310260001
v1.8.1
v1.8.2
v1.9.0-preview.202311160001
v1.9.0-preview.202311230001
v1.9.0-preview.202311300001
v1.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59859.json"