HTML Injection Vulnerability in OpenCode by Anomaly Co.
CVE-2026-22813

9.4CRITICAL

Key Information:

Vendor: Anomalyco
Status: Opencode
Vendor: CVE Published:; 12 January 2026

What is CVE-2026-22813?

OpenCode, an open source AI coding agent developed by Anomaly Co., contains a vulnerability in its markdown renderer that allows arbitrary HTML to be inserted into the Document Object Model (DOM). The renderer lacks proper sanitization measures, such as DOMPurify, and there is no Content Security Policy (CSP) implemented on the web interface. This vulnerability enables an attacker to control the underlying code execution during a chat session by exploiting HTML injection, potentially leading to unauthorized JavaScript execution on the local host environment. This issue has been addressed in version 1.1.10.

Affected Version(s)

opencode < 1.1.10

References

https://github.com/anomalyco/opencode/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Jan 12, 2026
Vulnerability Reserved
Jan 9, 2026

JSON

Anomalyco

What is CVE-2026-22813?

Affected Version(s)

References

CVSS V4

Timeline