CVE-2026-9255 Tool Execution Without Authorization via Piped Stdin in Kiro CLI

Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin. We recommend you to upgrade to kiro-cli version...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the bsdtar process when file streams are piped, leading to reading past the end of a file. An attacker can cause unintended program behavior, memory corruption, or application crash by supplying specially crafted...