CVE Catalog

CVE-2026-54326

LowCVSS 2.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile — higher than 3% of all known CVEs

Summary

Pi is a minimal terminal coding harness. In versions from 0.74.0 to 0.78.1, HTML exports did not consistently reject unsafe Markdown link and image URL schemes, potentially leading to security vulnerabilities.

Risk Assessment

Organizations may be exposed to attacks that exploit unsafe links and images, which could lead to session hijacking or data leakage.

Recommendation

It is recommended to upgrade to version 0.78.1 to eliminate this vulnerability and implement additional security measures to monitor and filter unsafe URL schemes.

Original NVD description (English source)

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi HTML exports render session Markdown into a static HTML file. It did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass the check because browsers normalize those characters before navigation. This vulnerability is fixed in 0.78.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS