CVE-2026-14722
Received Received - Intake

Code Injection in TidGi-Desktop via Git Repository Import

Vulnerability report for CVE-2026-14722, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A vulnerability was found in tiddly-gittly TidGi-Desktop up to 0.13.0. This impacts an unknown function of the file src/services/wiki/wikiWorker/loadWikiTiddlersWithSubWikis.ts of the component Git Repository Import. The manipulation results in code injection. The attack may be performed from remote. The exploit has been made public and could be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tiddly-gittly tidgi-desktop to 0.13.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14722 is a critical remote code execution vulnerability in TidGi Desktop version 0.13.0. It arises from the way the application imports TiddlyWiki repositories, specifically how it automatically discovers and executes JavaScript code embedded in .tid files within the wiki's tiddlers/ directory.

When a user imports a malicious Git repository, the application loads these .tid files and registers them as executable modules without proper validation. Any .tid file with a module-type field set to "startup" and type "application/javascript" is automatically executed during the wiki's boot sequence, granting full Node.js access.

This allows attackers to run arbitrary shell commands, potentially leading to complete system compromise. The attack requires minimal user interaction (just importing a repository) and works across Windows, macOS, and Linux platforms.

Impact Analysis

This vulnerability can have severe impacts including full system compromise. An attacker can execute arbitrary code on your system remotely by tricking you into importing a malicious Git repository.

  • Arbitrary code execution with full Node.js privileges.
  • Ability to run shell commands, leading to file read/write access.
  • Potential for reverse shell access, allowing persistent remote control.
  • No authentication or special permissions are required to exploit this vulnerability.
  • Works across multiple operating systems including Windows, macOS, and Linux.
Detection Guidance

This vulnerability can be detected by monitoring for the import of malicious Git repositories containing specially crafted .tid files with a module-type field set to "startup" and type "application/javascript" that execute arbitrary code during the wiki's boot sequence.

Since the exploit involves automatic execution of JavaScript code embedded in .tid files, detection can focus on identifying suspicious .tid files in the tiddlers/ directory of imported repositories.

Commands to help detect suspicious files might include scanning for .tid files with the module-type "startup" and type "application/javascript" in the repository before import.

  • On Linux/macOS, use: grep -rl --include='*.tid' 'module-type.*startup' /path/to/repository/tiddlers/
  • Check for JavaScript content in .tid files: grep -rl --include='*.tid' 'application/javascript' /path/to/repository/tiddlers/

Additionally, monitoring system logs or network activity for unexpected execution of Node.js commands or shell commands triggered by the application may help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include preventing the automatic execution of malicious .tid files by disallowing the module-type field on user-created tiddlers.

Sandboxing user modules or implementing a whitelist of allowed module-type values can also reduce the risk of code injection.

Avoid importing untrusted or unknown Git repositories into TidGi Desktop until a patched version is released.

Monitor for updates from the TidGi Desktop project and apply patches as soon as they become available.

Compliance Impact

The vulnerability allows remote code execution leading to complete system compromise, including arbitrary file read/write and persistence mechanisms. This can result in unauthorized access to sensitive data, potentially violating data protection requirements under standards like GDPR and HIPAA.

Because attackers can execute arbitrary code and access files without authentication, the vulnerability poses a significant risk to confidentiality, integrity, and availability of data, which are core principles in many compliance frameworks.

Organizations using TidGi Desktop without mitigation may fail to meet compliance obligations related to protecting personal and sensitive information from unauthorized access or modification.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14722. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart