Cross-Site Scripting in Pi by Earendil Works
CVE-2026-54326

2.5LOW

Key Information:

Vendor

Earendil-works

Status
Pi
Vendor
CVE Published:
23 June 2026

What is CVE-2026-54326?

The Pi terminal coding harness has a vulnerability affecting versions from 0.74.0 to 0.78.1, where the HTML export feature inadequately filters unsafe Markdown link and image URL schemes. Specifically, C0 control characters found in the URL scheme can circumvent the existing checks due to normalization performed by browsers. This issue poses a security risk as it may allow attackers to inject malicious content through properly formatted URLs. The vulnerability is addressed in version 0.78.1, which implements improved filtering mechanisms.

Affected Version(s)

pi >= 0.74.0, < 0.78.1

References

https://github.com/earendil-works/pi/security/advisories/...
x_refsource_CONFIRM
https://github.com/earendil-works/pi/commit/6cb23f9b5d5b6...
x_refsource_MISC
https://github.com/earendil-works/pi/releases/tag/v0.78.1
x_refsource_MISC

CVSS V3.1

Score:
2.5
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.