GHSA-7V5M-PR3Q-6453
Vulnerability from github – Published: 2026-06-16 23:43 – Updated: 2026-06-16 23:43Potential XSS in HTML session exports via Markdown URL handling
Pi HTML exports render session Markdown into a static HTML file. Affected versions did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass the check because browsers normalize those characters before navigation.
Impact
The realistic attack path is indirect. An attacker would need to get suitable Markdown into a session, for example through prompt injection that causes the model to include an unsafe link, or through other untrusted session content. The user would then need to export the session as HTML, open or share that file, and click the link.
If triggered, script runs in the exported document, not in pi or the user's shell. The main risk is limited disclosure of data embedded in that exported session file.
Affected versions
- Affected:
@mariozechner/pi-coding-agent >= 0.27.5, <= 0.73.1 - Affected:
@earendil-works/pi-coding-agent >= 0.74.0, < 0.78.1 - Patched:
@earendil-works/pi-coding-agent 0.78.1
The old @mariozechner/pi-coding-agent package scope has no patched release. It was renamed to @earendil-works/pi-coding-agent; users of the old scope should migrate to the new package and upgrade to version 0.78.1 or later.
Resolution
Version 0.78.1 sanitizes Markdown link and image URLs with an allow-list after stripping C0 control characters.
Recommendations
Upgrade @earendil-works/pi-coding-agent to version 0.78.1 or later. Regenerate shared HTML exports after upgrading if the underlying sessions contained untrusted content.
Timeline
- 2026-05-29: Report received through GitHub Security Advisories
- 2026-06-02: Fix committed
- 2026-06-04: Fixed version 0.78.1 released
- 2026-06-08: Advisory prepared for publication
Credits
Reported by Paul Urian and Cosmin Alexa of CrowdStrike.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@mariozechner/pi-coding-agent"
},
"ranges": [
{
"events": [
{
"introduced": "0.27.5"
},
{
"last_affected": "0.73.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@earendil-works/pi-coding-agent"
},
"ranges": [
{
"events": [
{
"introduced": "0.74.0"
},
{
"fixed": "0.78.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54326"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T23:43:15Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "# Potential XSS in HTML session exports via Markdown URL handling\n\nPi HTML exports render session Markdown into a static HTML file. Affected versions did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass the check because browsers normalize those characters before navigation.\n\n## Impact\n\nThe realistic attack path is indirect. An attacker would need to get suitable Markdown into a session, for example through prompt injection that causes the model to include an unsafe link, or through other untrusted session content. The user would then need to export the session as HTML, open or share that file, and click the link.\n\nIf triggered, script runs in the exported document, not in pi or the user\u0027s shell. The main risk is limited disclosure of data embedded in that exported session file.\n\n## Affected versions\n\n- Affected: `@mariozechner/pi-coding-agent \u003e= 0.27.5, \u003c= 0.73.1`\n- Affected: `@earendil-works/pi-coding-agent \u003e= 0.74.0, \u003c 0.78.1`\n- Patched: `@earendil-works/pi-coding-agent 0.78.1`\n\nThe old `@mariozechner/pi-coding-agent` package scope has no patched release. It was renamed to `@earendil-works/pi-coding-agent`; users of the old scope should migrate to the new package and upgrade to version 0.78.1 or later.\n\n## Resolution\n\nVersion 0.78.1 sanitizes Markdown link and image URLs with an allow-list after stripping C0 control characters.\n\n## Recommendations\n\nUpgrade `@earendil-works/pi-coding-agent` to version 0.78.1 or later. Regenerate shared HTML exports after upgrading if the underlying sessions contained untrusted content.\n\n## Timeline\n\n- 2026-05-29: Report received through GitHub Security Advisories\n- 2026-06-02: Fix committed\n- 2026-06-04: Fixed version 0.78.1 released\n- 2026-06-08: Advisory prepared for publication\n\n## Credits\n\nReported by Paul Urian and Cosmin Alexa of CrowdStrike.",
"id": "GHSA-7v5m-pr3q-6453",
"modified": "2026-06-16T23:43:15Z",
"published": "2026-06-16T23:43:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/earendil-works/pi/security/advisories/GHSA-7v5m-pr3q-6453"
},
{
"type": "WEB",
"url": "https://github.com/earendil-works/pi/commit/6cb23f9b5d5b6d1747672f535b167d0d809ac010"
},
{
"type": "PACKAGE",
"url": "https://github.com/earendil-works/pi"
},
{
"type": "WEB",
"url": "https://github.com/earendil-works/pi/releases/tag/v0.78.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.