Impact
Pi is a minimal terminal coding harness that, from version 0.74.0 through 0.78.0, renders session Markdown into a static HTML file. The exporter does not consistently reject unsafe Markdown link and image URL schemes. In releases that include scheme filtering, a C0 control character embedded in the URL scheme can bypass the check because browsers normalize those characters before navigation, allowing an attacker to embed arbitrary scripts in the HTML export. When a user opens the malicious exported file, the scripts execute in the context of the local browser, resulting in cross‑site scripting. This issue is mitigated in release 0.78.1, which enforces stricter scheme validation.
Affected Systems
Pi versions 0.74.0 through 0.78.0 from the earendil‑works product are affected. The flaw was fixed in release 0.78.1; any installation older than that remains vulnerable.
Risk and Exploitability
The CVSS score of 2.5 indicates low severity, and no EPSS score is available, suggesting a limited likelihood of widespread exploitation. The vulnerability is not listed in CISA KEV. Exploitation requires an attacker to supply a malicious session that contains a crafted URL, export that session to HTML, and a local user to open the resulting file. Thus the risk is local and depends on the use of the HTML export feature.
OpenCVE Enrichment
Github GHSA