CVE Catalog

CVE-2026-54325

MediumCVSS 4.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

Pi is a minimal terminal coding harness. In versions before 0.79.0, Pi loaded project-local resources and configurations from a repository's .pi directory without asking the user to trust that repository, potentially allowing malicious code execution.

Risk Assessment

An attacker controlling a repository could place malicious resources that would run with the same privileges as the Pi process, posing a risk of unauthorized code execution.

Recommendation

It is recommended to upgrade to version 0.79.0 or later to mitigate this vulnerability and to implement additional precautions when using external repositories.

Original NVD description (English source)

Pi is a minimal terminal coding harness. Pi before 0.79.0 loaded project-local configuration and resources from a repository's .pi directory without first asking the user to trust that repository. This included project-local extensions, which are executable TypeScript or JavaScript modules loaded into the Pi process. An attacker who controls a repository could place Pi-specific project resources in that repository. If a user then started Pi from that working tree, the project-local extension code could run with the same privileges as the local Pi process without the user having a convenient way to make a trust decision. This vulnerability is fixed in 0.79.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS