CVE-2026-54325
MediumCVSS 4.4Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
Pi is a minimal terminal coding harness. In versions before 0.79.0, Pi loaded project-local resources and configurations from a repository's .pi directory without asking the user to trust that repository, potentially allowing malicious code execution.
Risk Assessment
An attacker controlling a repository could place malicious resources that would run with the same privileges as the Pi process, posing a risk of unauthorized code execution.
Recommendation
It is recommended to upgrade to version 0.79.0 or later to mitigate this vulnerability and to implement additional precautions when using external repositories.
Original NVD description (English source)
Pi is a minimal terminal coding harness. Pi before 0.79.0 loaded project-local configuration and resources from a repository's .pi directory without first asking the user to trust that repository. This included project-local extensions, which are executable TypeScript or JavaScript modules loaded into the Pi process. An attacker who controls a repository could place Pi-specific project resources in that repository. If a user then started Pi from that working tree, the project-local extension code could run with the same privileges as the local Pi process without the user having a convenient way to make a trust decision. This vulnerability is fixed in 0.79.0.

