CVE-2026-54326: 
JavaScript 취약성 분석 및 완화

CVE-2026-54326 is a stored Cross-Site Scripting (XSS) vulnerability in the Pi coding agent's HTML session export feature, caused by insufficient sanitization of Markdown link and image URL schemes. Affected packages include @mariozechner/pi-coding-agent versions >= 0.27.5 and <= 0.73.1, and @earendil-works/pi-coding-agent versions >= 0.74.0 and < 0.78.1. The vulnerability was reported on 2026-05-29, fixed on 2026-06-04 (v0.78.1), and the advisory was published on 2026-06-08. It carries a CVSS v3.1 base score of 2.5 (Low) (GitHub Advisory, Security Advisory).

The root cause (CWE-79) is improper neutralization of user-controllable input during HTML page generation. The affected versions used a blocklist approach to filter dangerous URL schemes (e.g., javascript:, vbscript:, data:), but this check could be bypassed by prepending C0 control characters (Unicode \x00–\x1f, \x7f) to the scheme — browsers normalize these characters before navigation, allowing the malicious scheme to execute. The fix in commit 6cb23f9 replaced the blocklist with an allowlist (https?, mailto, tel, ftp) applied after stripping all C0 control characters from the URL, closing the bypass (GitHub Commit, Security Advisory).

If exploited, arbitrary JavaScript executes within the context of the exported HTML file when a victim opens it in a browser and clicks a crafted link or loads a crafted image. The primary risk is limited confidentiality impact — specifically, disclosure of data embedded in the exported session file (e.g., conversation history, code snippets, or other session content). There is no integrity or availability impact, and the script does not execute within the Pi application or the user's shell (GitHub Advisory).

1. Inject malicious Markdown: Craft a prompt injection payload that causes the Pi AI model to include a Markdown link or image with a URL using a dangerous scheme obfuscated with C0 control characters (e.g., [click me](\x01javascript:alert(document.cookie))).
2. Trigger session content: Interact with the Pi coding agent in a way that causes the injected Markdown to appear in the session output.
3. Export session as HTML: Wait for or socially engineer the target user into exporting the session as a static HTML file using Pi's export feature.
4. Deliver the HTML file: Share or distribute the exported HTML file to a victim (e.g., via email, file share, or collaboration platform).
5. Trigger XSS: The victim opens the HTML file in a browser and clicks the crafted link or loads the crafted image; the browser normalizes the C0 control characters, resolves the javascript: scheme, and executes the embedded script, potentially exfiltrating session data (Security Advisory, GitHub Commit).

• File System: Exported HTML session files containing Markdown links or image tags with URLs that include C0 control characters (\x00–\x1f) prepended to scheme names (e.g., javascript:, vbscript:, data:).
• Logs: Pi session logs or JSONL session files containing unusual Markdown link syntax with encoded or raw control characters in URL fields.
• Network: Outbound requests from a browser to unexpected external hosts shortly after a user opens an exported Pi HTML session file, potentially indicating data exfiltration via XSS payload.

Upgrade @earendil-works/pi-coding-agent to version 0.78.1 or later, which sanitizes Markdown link and image URLs using a scheme allowlist (https, http, mailto, tel, ftp) after stripping C0 control characters. Users of the legacy @mariozechner/pi-coding-agent package must migrate to @earendil-works/pi-coding-agent >= 0.78.1, as no patched release exists for the old scope. Additionally, previously exported HTML session files that may have contained untrusted content should be regenerated after upgrading (Security Advisory, Release v0.78.1).

The vulnerability was discovered and reported by Paul Urian and Cosmin Alexa of CrowdStrike through GitHub Security Advisories, indicating engagement from professional security researchers (Security Advisory). No broader media coverage or notable community discussion has been identified beyond the official advisory.