Description
A vulnerability was determined in badlogic pi-mono 0.58.4. The impacted element is an unknown function of the file packages/web-ui/src/tools/artifacts/SvgArtifact.ts of the component SVG Artifact Handler. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch or Mitigate
AI Analysis

Impact

The flaw resides in a function of SvgArtifact.ts used by the badlogic pi‑mono web UI. It allows a malicious actor to inject arbitrary JavaScript into a victim’s browser, potentially enabling session hijack, credential theft, or page defacement.

Affected Systems

Only the badlogic pi‑mono 0.58.4 release is affected; other releases are not identified in the CVE data.

Risk and Exploitability

The CVSS v3.1 score of 5.3 indicates a moderate risk, and the vulnerability is not listed in the KEV catalog. The description states that remote exploitation is possible, occurring through the web UI component that processes SVG artifacts. Because the exploit has been publicly disclosed, attackers may craft malicious SVG files to trigger the vulnerability without requiring prior authentication.

Generated by OpenCVE AI on April 5, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the badlogic vendor site or repository for an updated pi‑mono release that addresses the SVG artifact handling.
  • If no patch is available, remove or disable the SVG artifact feature from the web UI to eliminate the vulnerable code path.
  • Ensure that any remaining SVG handling enforces strict validation and sanitization before rendering.
  • Monitor application logs for anomalous SVG uploads or JavaScript payloads that could indicate exploitation attempts.

Generated by OpenCVE AI on April 5, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Badlogic
Badlogic pi-mono
Vendors & Products Badlogic
Badlogic pi-mono

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in badlogic pi-mono 0.58.4. The impacted element is an unknown function of the file packages/web-ui/src/tools/artifacts/SvgArtifact.ts of the component SVG Artifact Handler. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title badlogic pi-mono SVG Artifact SvgArtifact.ts cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Badlogic Pi-mono
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T16:37:45.354Z

Reserved: 2026-04-04T06:35:48.866Z

Link: CVE-2026-5533

cve-icon Vulnrichment

Updated: 2026-04-06T16:37:34.549Z

cve-icon NVD

Status : Deferred

Published: 2026-04-05T02:16:01.710

Modified: 2026-04-24T18:14:34.620

Link: CVE-2026-5533

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:57:21Z

Weaknesses