Executive Summary

CVE-2026-5533 is a stored Cross-Site Scripting (XSS) vulnerability in the pi-mono product, specifically in the SvgArtifact.ts component of the pi-web-ui module. The vulnerability arises because SVG artifacts are rendered inline into the parent page DOM using Lit's unsafeHTML() directive without any sanitization, allowing malicious SVG content with embedded JavaScript event handlers (like onload or onclick) to execute in the context of the parent page.

This flaw enables an attacker to remotely inject malicious SVG artifacts that execute JavaScript with full access to the parent page's origin context, including sensitive storage such as document.cookie, localStorage, and IndexedDB.

Additionally, the application stores LLM provider API keys and authentication tokens as plaintext in IndexedDB and localStorage, respectively, without encryption or access control, which can be stolen by the malicious SVG payload.

An attacker can exploit this vulnerability by manipulating the LLM to generate a malicious SVG artifact containing JavaScript payloads. When a victim views this SVG, the embedded script steals API keys, auth tokens, and chat history, then exfiltrates them to an attacker-controlled server.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including:

• Confidentiality breach: Full exfiltration of all LLM API keys, authentication tokens, and chat session history stored in the browser.
• Integrity compromise: An attacker can inject malicious custom providers and modify session data.
• Financial impact: Unauthorized use of stolen API keys can lead to significant financial costs due to unauthorized API calls.
• Remote exploitation: The attack requires no special privileges and can be triggered simply by a user viewing a malicious SVG artifact.
• No direct denial of service impact, but the confidentiality and integrity impacts are high.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your system uses the vulnerable pi-mono version 0.58.4 or earlier, specifically the @mariozechner/pi-web-ui component rendering SVG artifacts using unsafeHTML without sanitization.

You can check for the presence of SVG artifacts rendered inline without sanitization by inspecting the source code or runtime behavior of the web UI, especially looking at the SvgArtifact.ts file around lines 61-62.

To detect exploitation attempts or presence of malicious SVGs, monitor network traffic for unusual fetch or XMLHttpRequest calls that may exfiltrate data, and inspect IndexedDB and localStorage for plaintext API keys or tokens.

Suggested commands include using browser developer tools or command-line tools to inspect storage and network activity, for example:

• Using browser console to check IndexedDB keys: `indexedDB.databases().then(dbs => console.log(dbs));` and then inspecting the 'provider-keys' object store.
• Using browser console to check localStorage for auth tokens: `console.log(localStorage);`
• Using network monitoring tools (e.g., Wireshark, tcpdump) to detect suspicious outbound requests that could indicate data exfiltration.
• Reviewing the source code or deployed files for usage of `unsafeHTML()` directive without sanitization in SvgArtifact.ts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include sanitizing SVG content before rendering to prevent execution of malicious scripts.

• Replace the use of `unsafeHTML()` with a sanitization library such as DOMPurify configured to forbid dangerous tags (e.g., script, style, iframe) and event handler attributes (e.g., onload, onclick).
• Render SVG artifacts inside sandboxed iframes with restricted permissions (e.g., allow-scripts but no allow-same-origin) to isolate SVG content from the parent page context.
• Encrypt API keys and authentication tokens before storing them in IndexedDB and localStorage using Web Crypto API or equivalent.

These steps will help prevent remote attackers from executing malicious JavaScript embedded in SVG artifacts and protect sensitive credentials from theft.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows remote attackers to perform full credential theft by exploiting stored Cross-Site Scripting (XSS) in SVG artifact rendering combined with plaintext storage of sensitive API keys and authentication tokens.

This leads to high confidentiality and integrity impacts, including exfiltration of all LLM API keys, authentication tokens, and chat history, which are sensitive personal or organizational data.

Such unauthorized access and data exfiltration can result in non-compliance with data protection regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.

The vulnerability's exploitation could lead to violations of confidentiality and data security requirements mandated by these standards, potentially resulting in legal and financial consequences for affected organizations.

Useful 0 Not Useful 0