Local Code Injection in Pi Terminal Coding Harness by Earendil Works
CVE-2026-54328

7.3HIGH

Key Information:

Vendor

Earendil-works

Status
Pi
Vendor
CVE Published:
23 June 2026

What is CVE-2026-54328?

The Pi terminal coding harness, versions 0.74.0 to 0.78.1, suffers from a local code injection vulnerability. This occurs due to predictable paths utilized within the operating system's temporary directory when handling npm or git extension package installs. On Linux multi-user systems, an attacker possessing write access to the shared temporary directory may exploit this vulnerability by preparing a malicious package location. If another user subsequently runs Pi, the software could inadvertently load the attacker's code into the victim's process, leading to potential unauthorized actions or system compromise. The issue has been resolved in version 0.78.1.

Affected Version(s)

pi >= 0.74.0, < 0.78.1

References

https://github.com/earendil-works/pi/security/advisories/...
x_refsource_CONFIRM
https://github.com/earendil-works/pi/pull/5345
x_refsource_MISC
https://github.com/earendil-works/pi/commit/a98e087e5d08e...
x_refsource_MISC

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.