Description
A vulnerability was found in tiddly-gittly TidGi-Desktop up to 0.13.0. This impacts an unknown function of the file src/services/wiki/wikiWorker/loadWikiTiddlersWithSubWikis.ts of the component Git Repository Import. The manipulation results in code injection. The attack may be performed from remote. The exploit has been made public and could be used.
Published: 2026-07-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a code injection flaw in the loadWikiTiddlersWithSubWikis module of TidGi-Desktop, allowing an attacker to inject and execute arbitrary code during a Git Repository Import. It is classified as CWE-74 and CWE-94 and enables remote code execution from crafted input. The flaw can be triggered remotely by sending a specially crafted repository or file, and a public exploit confirms that an attacker can achieve arbitrary code execution against the vulnerable application.

Affected Systems

tiddly-gittly TidGi-Desktop versions up to and including 0.13.0 contain the vulnerable component. Any build thatTiddSS score is 6.9, indicating a moderate severity, while the EPSS score is under 1 % and the vulnerability is not listed in CISA KEV, meaning it has not been widely exploited yet. Nonetheless, the exploitation vector is remote through the Git Repository Import feature, requiring only the ability to send payload-bearing input; if successful, the attacker gains the application's permissions and can run arbitrary code.

Risk and Exploitability

The CVSS score of 6.9 classifies this as a moderate‑severity risk. An EPSS score below 1 % and absence from the KEV catalog indicate that the vulnerability has not yet become a common target for widespread exploitation, although a public exploit exists. The attack can be launched remotely by an attacker who can supply a malicious Git repository or file through the Import feature; during import, the vulnerable code processes the input, leading to arbitrary code execution under the application's user context. Because code runs with the same privileges as the application, an attacker who successfully exploits the flaw can obtain full control over the system where TidGi‑Desktop is hosted.

Generated by OpenCVE AI on July 7, 2026 at 18:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update TidGi‑Desktop to a version released after 0.13.0 that removes the vulnerable code.
  • If an update is not immediately available, disable or uninstall the Git Repository Import feature to prevent the flawed processing routine from executing.
  • Implement input validation and sanitization for any remaining code that processes external content, ensuring that no arbitrary code execution can occur.

Generated by OpenCVE AI on July 7, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 05 Jul 2026 08:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in tiddly-gittly TidGi-Desktop up to 0.13.0. This impacts an unknown function of the file src/services/wiki/wikiWorker/loadWikiTiddlersWithSubWikis.ts of the component Git Repository Import. The manipulation results in code injection. The attack may be performed from remote. The exploit has been made public and could be used.
Title tiddly-gittly TidGi-Desktop Git Repository Import loadWikiTiddlersWithSubWikis.ts code injection
First Time appeared Tiddly-gittly
Tiddly-gittly tidgi-desktop
Weaknesses CWE-74
CWE-94
CPEs cpe:2.3:a:tiddly-gittly:tidgi-desktop:*:*:*:*:*:*:*:*
Vendors & Products Tiddly-gittly
Tiddly-gittly tidgi-desktop
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Tiddly-gittly Tidgi-desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-06T17:52:01.260Z

Reserved: 2026-07-04T08:01:16.620Z

Link: CVE-2026-14722

cve-icon Vulnrichment

Updated: 2026-07-06T17:51:57.760Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T18:30:17Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')