Description
OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10.
Published: 2026-01-12
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via unfiltered XSS
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in OpenCode allows an attacker to inject arbitrary HTML into markdown rendered by the web UI without sanitization or CSP. By manipulating the LLM response in a chat session, an attacker can cause malicious JavaScript to execute within the http://localhost:4096 origin, enabling remote code execution on the local machine. This flaw is a classic reflected cross‑site scripting flaw (CWE‑79) that can lead to execution of arbitrary commands, theft of local credentials, or installation of malware, compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

All publicly released versions of AnomalyCo OpenCode from the beginning until 1.1.10 are affected. The vendor acknowledges a fix in version 1.1.10; any deployment running an earlier version, particularly default local installations, must be updated.

Risk and Exploitability

The CVSS score of 9.4 identifies this issue as Critical, and the low EPSS score (<1%) suggests that exploitation is not currently widespread. However the vulnerability is not cataloged in CISA's KEV, indicating that no public exploits are known at this time. The likely attack path involves tricking a user into visiting a malicious site that can feed the LLM with crafted prompts to trigger the injection. Because the JavaScript runs in the local origin, any privileges the local user holds will be granted to the attacker, making the risk significant especially for administrators. An attacker with remote code execution capabilities can compromise the entire machine.

Generated by OpenCVE AI on April 18, 2026 at 06:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AnomalyCo OpenCode to version 1.1.10 or later, which removes the unsanitized markdown renderer.
  • If an upgrade is not immediately possible, configure the browser or web server to enforce a strict Content Security Policy that blocks JavaScript execution from untrusted sources.
  • Alternatively, disable markdown rendering for LLM responses or replace the renderer with a sanitizing library such as DOMPurify to strip HTML tags before insertion.
  • Avoid exposing the OpenCode web UI to untrusted network traffic; restrict access to localhost or enforce network segmentation.

Generated by OpenCVE AI on April 18, 2026 at 06:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c83v-7274-4vgp Malicious website can execute commands on the local system through XSS in the OpenCode web UI
History

Wed, 21 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Anoma
Anoma opencode
CPEs cpe:2.3:a:anoma:opencode:*:*:*:*:*:-:*:*
Vendors & Products Anoma
Anoma opencode
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 13 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Anomalyco
Anomalyco opencode
Vendors & Products Anomalyco
Anomalyco opencode

Mon, 12 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10.
Title Malicious website can execute commands on the local system through XSS in the OpenCode web UI
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Anoma Opencode
Anomalyco Opencode
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-13T19:07:23.038Z

Reserved: 2026-01-09T22:50:10.288Z

Link: CVE-2026-22813

cve-icon Vulnrichment

Updated: 2026-01-13T14:13:32.507Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-12T23:15:53.523

Modified: 2026-01-21T15:15:35.597

Link: CVE-2026-22813

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses