CVE-2026-54326

Pi: Potential XSS in HTML session exports via Markdown URL sanitization bypass

CVSS 2.5 LOWEPSS 0.1%CWE-79

Vexday Risk Score

8Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 2.5EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

23 jun 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi HTML exports render session Markdown into a static HTML file. It did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass the check because browsers normalize those characters before navigation. This vulnerability is fixed in 0.78.1.

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Productos afectados

earendil-works · pi

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/earendil-works/pi/commit/6cb23f9b5d5b6d1747672f535b167d0d809ac010 https://github.com/earendil-works/pi/releases/tag/v0.78.1 https://github.com/earendil-works/pi/security/advisories/GHSA-7v5m-pr3q-6453