CVE-2026-54326

LOW NVD

CVSS Score 2.5

Severity LOW

Published Jun 23, 2026

Vendor unknown

Description

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi HTML exports render session Markdown into a static HTML file. It did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass the check because browsers normalize those characters before navigation. This vulnerability is fixed in 0.78.1.

References

https://github.com/earendil-works/pi/commit/6cb23f9b5d5b6d1747672f535b167d0d809ac010
https://github.com/earendil-works/pi/releases/tag/v0.78.1
https://github.com/earendil-works/pi/security/advisories/GHSA-7v5m-pr3q-6453