Remote Code Execution Vulnerability in Pi by Earendil Works
CVE-2026-54325

4.4MEDIUM

Key Information:

Vendor

Earendil-works

Status
Pi
Vendor
CVE Published:
23 June 2026

What is CVE-2026-54325?

Pi, a minimal terminal coding harness, prior to version 0.79.0, improperly handled project-local configurations, allowing an attacker controlling a repository to execute untrusted JavaScript or TypeScript code. This risk arises when users run Pi from a compromised repository, as the project-local extensions could execute with the same permissions as the local Pi process, without prompting the user for trust verification. Users are advised to upgrade to version 0.79.0 to mitigate this security risk.

Affected Version(s)

pi < 0.79.0

References

https://github.com/earendil-works/pi/security/advisories/...
x_refsource_CONFIRM
https://github.com/earendil-works/pi/commit/38f18be44727e...
x_refsource_MISC
https://github.com/earendil-works/pi/commit/718215bd95b6f...
x_refsource_MISC

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.