Dismissed
(max. allowed matches exceeded)
Permalink
CVE-2026-54326
2.5 LOW
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): High (H)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): None (N)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): High (H)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): None (N)
Activity log
- Created & dismissed (max. allowed matches exceeded) suggestion
Pi: Potential XSS in HTML session exports via Markdown URL sanitization bypass
Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi HTML exports render session Markdown into a static HTML file. It did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass the check because browsers normalize those characters before navigation. This vulnerability is fixed in 0.78.1.
References
-
https://github.com/earendil-works/pi/security/advisories/GHSA-7v5m-pr3q-6453 x_refsource_CONFIRM
-
https://github.com/earendil-works/pi/releases/tag/v0.78.1 x_refsource_MISC
Affected products
pi
- ==>= 0.74.0, < 0.78.1