CVE-2026-5556
Received Received - Intake
Code Injection in badlogic pi-mono Loader Enables Remote Exploits

Publication date: 2026-04-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in badlogic pi-mono up to 0.58.4. This vulnerability affects the function discoverAndLoadExtensions of the file packages/coding-agent/src/core/extensions/loader.ts. The manipulation leads to code injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5556
EUVD
EUVD-2026-19061
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
badlogic pi-mono to 0.58.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5556 is a security vulnerability in the pi-mono product (Pi Coding Agent Monorepo) version 0.58.4 and earlier, specifically in the extension loader component (loader.ts). The vulnerability occurs because the software automatically discovers, loads, and immediately executes project-local extensions from the `.pi/extensions/` directory without any sandboxing, user confirmation, or integrity checks.

This automatic loading process includes following symbolic links and running the code with full Node.js privileges, allowing access to sensitive system APIs. An attacker can exploit this by placing a malicious extension in a repository; when a user clones and runs the pi agent in that directory, the malicious code executes automatically with the user's privileges, enabling arbitrary code execution without any user interaction.

Impact Analysis

This vulnerability can have severe impacts including unauthorized data access, system compromise, and disruption. Specifically, an attacker can execute arbitrary code with the privileges of the user running the pi agent, leading to:

  • Confidentiality risks such as leakage of sensitive data including SSH keys, cloud credentials, API tokens, and environment variables.
  • Integrity risks including persistent backdoors, tampering with source code, and installation of rootkits.
  • Availability risks such as system disruption, file deletion, and resource exhaustion.
Detection Guidance

This vulnerability can be detected by checking for the presence of malicious or unexpected TypeScript (.ts) or JavaScript (.js) files in the project-local `.pi/extensions/` directory, including symbolic links that may point to malicious code.

You can inspect the `.pi/extensions/` directory recursively to identify suspicious files or symlinks that could be exploited.

  • Use the command `find .pi/extensions/ -type l -ls` to list symbolic links in the extensions directory.
  • Use `find .pi/extensions/ -name '*.ts' -o -name '*.js'` to list all TypeScript and JavaScript files loaded automatically.

Additionally, monitoring the startup logs of the pi agent for loaded extensions can help detect unexpected or unauthorized extensions being executed.

Mitigation Strategies

Immediate mitigation steps include disabling or restricting the loading of project-local extensions in the `.pi/extensions/` directory to prevent automatic execution of potentially malicious code.

  • Avoid running the pi agent in untrusted or cloned repositories that may contain malicious extensions.
  • Manually inspect and remove any suspicious `.ts` or `.js` files or symbolic links in the `.pi/extensions/` directory.
  • Implement or enable a workspace trust prompt or a flag such as `--allow-project-extensions` to require explicit user confirmation before loading extensions.
  • Monitor and log all loaded extensions during startup to increase awareness of what code is being executed.

Longer term, advocate for or apply patches that introduce code signing, hash pinning, and sandboxing to restrict extension capabilities.

Compliance Impact

This vulnerability allows remote code execution with full user privileges, leading to high risks of data leakage including sensitive information such as SSH keys, cloud credentials, and API tokens.

Such unauthorized access and potential exfiltration of sensitive data can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information.

The lack of security controls such as sandboxing, code signing, or user confirmation before executing extensions increases the risk of confidentiality, integrity, and availability breaches, which are critical factors in regulatory compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5556. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart