CVE-2026-54326
Deferred
Deferred - Pending Action
Markdown Injection in Pi HTML Exports via Unsafe URL Schemes
Vulnerability report for CVE-2026-54326, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-23
Last updated on: 2026-06-24
Assigner: GitHub, Inc.
Description
Description
Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi HTML exports render session Markdown into a static HTML file. It did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass the check because browsers normalize those characters before navigation. This vulnerability is fixed in 0.78.1.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| earendil-works | pi-coding-agent | to 0.78.1 (exc) |
| earendil-works | pi-coding-agent | 0.78.1 |
| mariozechner | pi-coding-agent | to 0.73.1 (exc) |
| mariozechner | pi-coding-agent | 0.73.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |