{"id":"CVE-2026-59860","summary":"Kiota: XML Doc-Comment Newline Breakout Code Injection","details":"Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.3, Kiota is affected by a code-generation injection vulnerability in the C# XML documentation-comment sink (the description, externalDocs label, and externalDocs link fields emitted as /// … comments). When text from an OpenAPI description is written into single-line XML doc comments without stripping newline and Unicode line-terminator characters, an attacker can break out of the /// comment line and inject additional code into generated C# clients. This issue is fixed in version 1.32.3.","aliases":["GHSA-3hrf-2gc2-mx32"],"modified":"2026-07-18T03:47:43.389389885Z","published":"2026-07-16T14:34:24.549Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59860.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-94"]},"references":[{"type":"WEB","url":"https://github.com/microsoft/kiota/releases/tag/v1.32.3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59860.json"},{"type":"ADVISORY","url":"https://github.com/microsoft/kiota/security/advisories/GHSA-3hrf-2gc2-mx32"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-59860"},{"type":"FIX","url":"https://github.com/microsoft/kiota/commit/ebb632db90aa8e3c20949337d9faa2720d64ca44"},{"type":"FIX","url":"https://github.com/microsoft/kiota/pull/7831"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/microsoft/kiota","events":[{"introduced":"0"},{"fixed":"ebb632db90aa8e3c20949337d9faa2720d64ca44"},{"fixed":"60b1f80ccce5e113a375c675a123221b391b3613"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"1.32.3"}]}}],"versions":["v1.32.2","v1.32.1","v1.32.0","v1.31.1","v1.31.0","v1.30.0","v1.29.0","v1.27.0","v1.27.0-preview.202506050001","v1.27.0-preview.202505290001","v1.27.0-preview.202505220001","v1.26.1","v1.26.0","v1.25.1-preview.202505010001","v1.25.1-preview.202504240001","v1.25.1-preview.202504170001","v1.25.1-preview.202504100001","v1.25.1","v1.24.3","v1.24.2","v1.24.1","v1.24.0","v1.24.0-preview.202503060001","v1.24.0-preview.202502270001","v1.23.0","v1.23.0-preview.202501310001","v1.22.3","v1.22.2","v1.22.1","v1.22.0","v1.22.0-preview.202412270001","v1.22.0-preview.202412190001","v1.22.0-preview.202412120001","v1.21.0","v1.21.0-preview.202411290004","v1.21.0-preview.202411290003","v1.21.0-preview.202411220001","v1.21.0-preview.202411150001","v1.20.0","v1.20.0-preview.202410240001","v1.20.0-preview.202410180001","v1.19.1","v1.20.0-preview.202410100001","v1.19.0","v1.19.0-preview.202409260001","v1.19.0-preview.202409200002","v1.19.0-preview.202409200001","v1.19.0-preview.202409120001","v1.18.0","v1.18.0-preview.202408290001","v1.18.0-preview.202408220001","v1.18.0-preview.202408150001","v1.17.0","v1.17.0-preview.202408010001","v1.16.0","v1.16.0-preview.202406270001","v1.16.0-preview.202406210001","v1.16.0-preview.202406130001","v1.15.0","v1.15.0-preview.202405310001","v1.15.0-preview.202405230001","v1.15.0-preview.202405160001","v1.15.0-preview.202405090001","v1.14.0","v1.14.0-preview.202404250001","v1.14.0-preview.202404180001","v1.14.0-preview.202404120001","v1.13.0-preview.202403280001","v1.13.0","v1.13.0-preview.202403210001","v1.12.0","v1.12","v1.12.0-preview.202402290001","v1.12.0-preview.202402220002","v1.11.1-preview.202402220001","v1.11.1-preview.202402150001","v1.11.1-preview.202402080001","v1.11.1","v1.11.0","v1.11.0-preview.202401300001","v1.10.1","v1.10.0","v1.10.0-preview.202312220001","v1.9.1","v1.9.0-preview.202311300001","v1.9.0-preview.202311230001","v1.9.0-preview.202311160001","v1.8.2","v1.8.1","v1.8.0","v1.8.0-preview.202310260001","v1.8.0-preview.202310190001","v1.7.0","v1.8.0-preview.202310120001","v1.7.0-preview.202309280001","v1.7.0-preview.202309210001","v1.6.1","v1.6.0","v1.6.0-preview.202309070001","v1.6.0-preview.202308310001","v1.6.0-preview.202308240001","v1.5.1","v1.5.0","v1.5.0-preview.202308030001","v1.5.0-preview.202307270001","v1.5.0-preview.202307200001","v1.5.0-preview.202307170006","v1.4.0","v1.3.0","v1.2.1","v1.2.0","v1.1.1","v1.1.0","v1.0.1","v1.0.0","v0.11.1","v0.11.0","v0.10.0","v0.9.0","v0.8.3","v0.8.2","v0.8.1","v0.8.0","v0.7.0","v0.7.1","v0.6.0","v0.5.1","v0.5.0","v0.4.0","v0.3.0","v0.2.1","v0.2.0","v0.1.3","v0.1.2","v0.1.1","v0.1.0","v0.0.23","v0.0.22","v0.0.21","v0.0.20","v0.0.19","v0.0.18","v0.0.17","v0.0.16","v0.0.15","v0.0.14","v0.0.13","v0.0.12","v0.0.11","v0.0.10","v0.0.9","v0.0.8","v0.0.7","v0.0.6","v0.0.5","v0.0.4","v0.0.3","v0.0.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59860.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}