Impact
The vulnerability is a code injection flaw in the loadWikiTiddlersWithSubWikis module of TidGi-Desktop, allowing an attacker to inject and execute arbitrary code during a Git Repository Import. It is classified as CWE-74 and CWE-94 and enables remote code execution from crafted input. The flaw can be triggered remotely by sending a specially crafted repository or file, and a public exploit confirms that an attacker can achieve arbitrary code execution against the vulnerable application.
Affected Systems
tiddly-gittly TidGi-Desktop versions up to and including 0.13.0 contain the vulnerable component. Any build thatTiddSS score is 6.9, indicating a moderate severity, while the EPSS score is under 1 % and the vulnerability is not listed in CISA KEV, meaning it has not been widely exploited yet. Nonetheless, the exploitation vector is remote through the Git Repository Import feature, requiring only the ability to send payload-bearing input; if successful, the attacker gains the application's permissions and can run arbitrary code.
Risk and Exploitability
The CVSS score of 6.9 classifies this as a moderate‑severity risk. An EPSS score below 1 % and absence from the KEV catalog indicate that the vulnerability has not yet become a common target for widespread exploitation, although a public exploit exists. The attack can be launched remotely by an attacker who can supply a malicious Git repository or file through the Import feature; during import, the vulnerable code processes the input, leading to arbitrary code execution under the application's user context. Because code runs with the same privileges as the application, an attacker who successfully exploits the flaw can obtain full control over the system where TidGi‑Desktop is hosted.
OpenCVE Enrichment