CVE-2026-22813
published 2026-01-12CVE-2026-22813: OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with…
PriorityP434medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.91%
55.6th percentile
OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| anoma | opencode | < 1.1.10 | 1.1.10 |
| anomalyco | opencode | < 1.1.10 | 1.1.10 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Malicious website can execute commands on the local system through XSS in the OpenCode web UI
ghsa·2026-01-13
CVE-2026-22813 [CRITICAL] CWE-79 Malicious website can execute commands on the local system through XSS in the OpenCode web UI
Malicious website can execute commands on the local system through XSS in the OpenCode web UI
### Summary
A malicious website can abuse the server URL override feature of the OpenCode web UI to achieve cross-site scripting on `http://localhost:4096`. From there, it is possible to run arbitrary commands on the local system using the `/pty/` endpoints provided by the OpenCode API.
### Code execution via OpenCode API
- The OpenCode API has `/pty/` endpoints that allow spawning arbitrary processes on the local machine.
- When you run `opencode` in your terminal, OpenCode automatically starts an HTTP server on `localhost:4096` that exposes the API along with a web interface.
- JavaScript can make arbitrary same-origin `fetch()` requests to the `/pty/` API endpoints. Therefore, JavaScript exe
OSV
Malicious website can execute commands on the local system through XSS in the OpenCode web UI
osv·2026-01-13
CVE-2026-22813 [CRITICAL] Malicious website can execute commands on the local system through XSS in the OpenCode web UI
Malicious website can execute commands on the local system through XSS in the OpenCode web UI
### Summary
A malicious website can abuse the server URL override feature of the OpenCode web UI to achieve cross-site scripting on `http://localhost:4096`. From there, it is possible to run arbitrary commands on the local system using the `/pty/` endpoints provided by the OpenCode API.
### Code execution via OpenCode API
- The OpenCode API has `/pty/` endpoints that allow spawning arbitrary processes on the local machine.
- When you run `opencode` in your terminal, OpenCode automatically starts an HTTP server on `localhost:4096` that exposes the API along with a web interface.
- JavaScript can make arbitrary same-origin `fetch()` requests to the `/pty/` API endpoints. Therefore, JavaScript exe
No detection rules found.
No public exploits indexed.
2026-01-12
Published