CVE-2026-39107 Overview
CVE-2026-39107 is a Cross-Site Scripting (XSS) vulnerability in the Kimi AI v1.0 web interface. The flaw resides in the application's Preview feature, which renders AI-generated code into the Document Object Model (DOM) without proper sanitization or encoding. When a user switches to the Preview tab, malicious HTML or JavaScript produced by the AI model executes directly in the browser session. The issue is tracked under CWE-79: Improper Neutralization of Input During Web Page Generation.
Critical Impact
Attackers can coerce the AI model into producing malicious payloads that execute arbitrary JavaScript in the victim's browser, enabling session theft, credential harvesting, and unauthorized actions within the Kimi AI interface.
Affected Products
- Kimi AI v1.0 web interface
- Preview tab rendering component
- Browser sessions interacting with AI-generated code output
Discovery Timeline
- 2026-06-03 - CVE-2026-39107 published to NVD
- 2026-06-03 - Last updated in NVD database
- Public resources referenced at the GitHub CVE-2026-39107 Resource
Technical Details for CVE-2026-39107
Vulnerability Analysis
The vulnerability is a client-side XSS flaw triggered when AI-generated content is rendered as live markup. The Preview tab takes the model's output and injects it into the DOM, treating script tags, event handlers, and inline JavaScript as executable content. User interaction is required, since the victim must navigate to the Preview tab to trigger rendering. Once rendered, the payload runs with the privileges of the authenticated user inside the Kimi AI origin.
The attack surface depends on attacker-controlled prompts or shared conversation content. An attacker can craft inputs that steer the model into emitting HTML or JavaScript constructs, then deliver the conversation link or content to a victim. When the victim previews the response, execution occurs within their browser context.
Root Cause
The root cause is missing output encoding on AI-generated markup before insertion into the DOM. The application performs no HTML entity escaping, no Content Security Policy (CSP) enforcement on inline scripts, and no sandboxing of the preview frame. Treating model output as trusted markup violates the principle that all model-generated content must be considered untrusted input.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker prepares a prompt or shared chat that induces the model to output a payload such as <img src=x onerror=...> or an inline <script> block. When the victim opens the conversation and selects Preview, the malicious markup is parsed and executed. The resulting script can exfiltrate session tokens, read DOM contents, perform requests to backend APIs as the victim, or pivot to social engineering. Technical details and proof-of-concept material are referenced in the CVE-2026-39107 resource repository.
Detection Methods for CVE-2026-39107
Indicators of Compromise
- Conversations containing model output with raw <script>, <iframe>, <svg>, or event-handler attributes such as onerror and onload.
- Outbound browser requests from the Kimi AI origin to unfamiliar domains carrying cookie, token, or DOM data.
- Browser console errors or CSP violation reports originating from the Preview tab.
- Unexpected modifications to the user's chat history or account settings after viewing a shared conversation.
Detection Strategies
- Inspect server-side and client-side logs for prompts and completions that contain HTML tag patterns or JavaScript URI schemes.
- Deploy browser-based DOM monitoring to flag dynamic insertion of <script> nodes within the Preview container.
- Correlate suspicious shared conversation URLs with subsequent anomalous API calls authenticated as the recipient user.
Monitoring Recommendations
- Enable CSP violation reporting on the Kimi AI origin to capture inline script execution attempts.
- Alert on outbound requests from the application origin to non-allowlisted destinations.
- Track usage of the Preview feature alongside session token reuse from new IP addresses or user agents.
How to Mitigate CVE-2026-39107
Immediate Actions Required
- Disable or restrict the Preview feature for AI-generated content until a patched build is deployed.
- Instruct users not to open Preview for conversations received from untrusted sources or shared links.
- Rotate session tokens and credentials for any account that may have rendered untrusted preview content.
Patch Information
No vendor advisory or fixed-version information is currently published in the NVD entry for CVE-2026-39107. Monitor the GitHub CVE-2026-39107 Resource and vendor channels for an official fix. A proper remediation must HTML-encode all model output before DOM insertion, render preview content inside a sandboxed <iframe sandbox> with no allow-scripts, and enforce a strict CSP that blocks inline scripts and event handlers.
Workarounds
- Apply a strict Content Security Policy that disallows unsafe-inline and restricts script sources to trusted origins.
- Render Preview content inside a sandboxed iframe without the allow-scripts token to prevent JavaScript execution.
- Pass model output through an HTML sanitizer such as DOMPurify before inserting it into the DOM.
- Strip or escape tags including <script>, <iframe>, <object>, and inline event handlers in the rendering pipeline.
# Example Content-Security-Policy header to block inline script execution in Preview
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; frame-src 'self'; base-uri 'none'; require-trusted-types-for 'script'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
