Retour à la veille

CVE-2026-59859

Publié : 16 juillet 2026
Modifié : 16 juillet 2026
Lien officiel NVD

Description détaillée

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.4, Kiota's PHP generator embedded OpenAPI description, default fields, property names, and other schema-derived strings into PHP double-quoted literals through SanitizeDoubleQuote() in Writers/StringExtensions.cs without escaping $, allowing attacker-controlled ${...}, $var, or {$obj->prop} interpolation constructs to inject arbitrary PHP code into generated model and request-builder classes. This issue is fixed in version 1.32.4.

Références et Patchs

Dernières Vulnérabilités