CVE-2026-54326 | Pi is a minimal terminal coding harness. From 0.74.0 until 0… | CVSS 2.5 LOW

Description

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi HTML exports render session Markdown into a static HTML file. It did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass the check because browsers normalize those characters before navigation. This vulnerability is fixed in 0.78.1.

Metadata

CVE ID: CVE-2026-54326
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-12 18:42 UTC
Published: 2026-06-23 19:26 UTC
Last updated: 2026-06-23 19:26 UTC
Primary CWE: CWE-79
CWE-79: Improper Neutralization of Input During Web Page Gen…
Vendor / Product: earendil-works / pi
Sources: cve.org · NVD

Severity & Metrics

2.5 LOW CVSS 3.1

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
earendil-works	pi	—	>= 0.74.0, < 0.78.1

Weakness (CWE)

CWE	Source	Description
CWE-79	cna	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores (1)

Score	Severity	Version	Source	Vector
2.5	LOW	3.1	cna	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

References (3)

https://github.com/earendil-works/pi/security/advisories/GHSA-7v5m-pr3q-6453 https://github.com/earendil-works/pi/security/advisories/GHSA-7v5m-pr3q-6453
https://github.com/earendil-works/pi/commit/6cb23f9b5d5b6d1747672f535b167d0d809ac010 https://github.com/earendil-works/pi/commit/6cb23f9b5d5b6d1747672f535b167d0d809ac010
https://github.com/earendil-works/pi/releases/tag/v0.78.1 https://github.com/earendil-works/pi/releases/tag/v0.78.1