CVE-2026-54326
LowCVSS 2.5Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
Pi is a minimal terminal coding harness. In versions from 0.74.0 to 0.78.1, HTML exports did not consistently reject unsafe Markdown link and image URL schemes, potentially leading to security vulnerabilities.
Risk Assessment
Organizations may be exposed to attacks that exploit unsafe links and images, which could lead to session hijacking or data leakage.
Recommendation
It is recommended to upgrade to version 0.78.1 to eliminate this vulnerability and implement additional security measures to monitor and filter unsafe URL schemes.
Original NVD description (English source)
Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi HTML exports render session Markdown into a static HTML file. It did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass the check because browsers normalize those characters before navigation. This vulnerability is fixed in 0.78.1.

