{"id":"CVE-2026-59859","summary":"Kiota: Code Generation Literal Injection in the PHP Generator","details":"Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.4, Kiota's PHP generator embedded OpenAPI description, default fields, property names, and other schema-derived strings into PHP double-quoted literals through SanitizeDoubleQuote() in Writers/StringExtensions.cs without escaping $, allowing attacker-controlled ${...}, $var, or {$obj-\u003eprop} interpolation constructs to inject arbitrary PHP code into generated model and request-builder classes. This issue is fixed in version 1.32.4.","aliases":["GHSA-jqwh-526h-c92j"],"modified":"2026-07-18T03:47:44.044377577Z","published":"2026-07-16T14:40:27.319Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-94"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59859.json"},"references":[{"type":"WEB","url":"https://github.com/microsoft/kiota/releases/tag/v1.32.4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59859.json"},{"type":"ADVISORY","url":"https://github.com/microsoft/kiota/security/advisories/GHSA-jqwh-526h-c92j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-59859"},{"type":"FIX","url":"https://github.com/microsoft/kiota/commit/5e2a211ac4261988fbdc72c3b268596ea8837b87"},{"type":"FIX","url":"https://github.com/microsoft/kiota/pull/7863"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/microsoft/kiota","events":[{"introduced":"0"},{"fixed":"5e2a211ac4261988fbdc72c3b268596ea8837b87"},{"fixed":"c4c336aa144464d5569786de62c3021fd12da755"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"1.32.4"}]}}],"versions":["v1.32.3","v1.32.2","v1.32.1","v1.32.0","v1.31.1","v1.31.0","v1.30.0","v1.29.0","v1.27.0","v1.27.0-preview.202506050001","v1.27.0-preview.202505290001","v1.27.0-preview.202505220001","v1.26.1","v1.26.0","v1.25.1-preview.202505010001","v1.25.1-preview.202504240001","v1.25.1-preview.202504170001","v1.25.1-preview.202504100001","v1.25.1","v1.24.3","v1.24.2","v1.24.1","v1.24.0","v1.24.0-preview.202503060001","v1.24.0-preview.202502270001","v1.23.0","v1.23.0-preview.202501310001","v1.22.3","v1.22.2","v1.22.1","v1.22.0","v1.22.0-preview.202412270001","v1.22.0-preview.202412190001","v1.22.0-preview.202412120001","v1.21.0","v1.21.0-preview.202411290004","v1.21.0-preview.202411290003","v1.21.0-preview.202411220001","v1.21.0-preview.202411150001","v1.20.0","v1.20.0-preview.202410240001","v1.20.0-preview.202410180001","v1.19.1","v1.20.0-preview.202410100001","v1.19.0","v1.19.0-preview.202409260001","v1.19.0-preview.202409200002","v1.19.0-preview.202409200001","v1.19.0-preview.202409120001","v1.18.0","v1.18.0-preview.202408290001","v1.18.0-preview.202408220001","v1.18.0-preview.202408150001","v1.17.0","v1.17.0-preview.202408010001","v1.16.0","v1.16.0-preview.202406270001","v1.16.0-preview.202406210001","v1.16.0-preview.202406130001","v1.15.0","v1.15.0-preview.202405310001","v1.15.0-preview.202405230001","v1.15.0-preview.202405160001","v1.15.0-preview.202405090001","v1.14.0","v1.14.0-preview.202404250001","v1.14.0-preview.202404180001","v1.14.0-preview.202404120001","v1.13.0-preview.202403280001","v1.13.0","v1.13.0-preview.202403210001","v1.12.0","v1.12","v1.12.0-preview.202402290001","v1.12.0-preview.202402220002","v1.11.1-preview.202402220001","v1.11.1-preview.202402150001","v1.11.1-preview.202402080001","v1.11.1","v1.11.0","v1.11.0-preview.202401300001","v1.10.1","v1.10.0","v1.10.0-preview.202312220001","v1.9.1","v1.9.0-preview.202311300001","v1.9.0-preview.202311230001","v1.9.0-preview.202311160001","v1.8.2","v1.8.1","v1.8.0","v1.8.0-preview.202310260001","v1.8.0-preview.202310190001","v1.7.0","v1.8.0-preview.202310120001","v1.7.0-preview.202309280001","v1.7.0-preview.202309210001","v1.6.1","v1.6.0","v1.6.0-preview.202309070001","v1.6.0-preview.202308310001","v1.6.0-preview.202308240001","v1.5.1","v1.5.0","v1.5.0-preview.202308030001","v1.5.0-preview.202307270001","v1.5.0-preview.202307200001","v1.5.0-preview.202307170006","v1.4.0","v1.3.0","v1.2.1","v1.2.0","v1.1.1","v1.1.0","v1.0.1","v1.0.0","v0.11.1","v0.11.0","v0.10.0","v0.9.0","v0.8.3","v0.8.2","v0.8.1","v0.8.0","v0.7.0","v0.7.1","v0.6.0","v0.5.1","v0.5.0","v0.4.0","v0.3.0","v0.2.1","v0.2.0","v0.1.3","v0.1.2","v0.1.1","v0.1.0","v0.0.23","v0.0.22","v0.0.21","v0.0.20","v0.0.19","v0.0.18","v0.0.17","v0.0.16","v0.0.15","v0.0.14","v0.0.13","v0.0.12","v0.0.11","v0.0.10","v0.0.9","v0.0.8","v0.0.7","v0.0.6","v0.0.5","v0.0.4","v0.0.3","v0.0.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59859.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}