AIKIDO-2026-10677
@mariozechner/pi-coding-agent is vulnerable to Cross-Site Scripting (XSS)
61
Medium Risk
This Affects:
@mariozechner/pi-coding-agentTL;DR
The coding agent builds standalone exported HTML from session tree data, embedding values such as image payloads and message metadata into HTML attributes and inline text. Previously those values were inserted without HTML escaping, so crafted session content could break out of attributes or inject markup when the export was opened in a browser. Before the fix this could lead to script execution in the browser context used to view the generated file. The patch applies contextual escaping so embedded image data, identifiers, and metadata fields are neutralized before insertion into the generated markup.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@mariozechner/pi-coding-agent is vulnerable to Cross-Site Scripting (XSS) in versions 0.31.0 - 0.70.5.
How to fix this
Upgrade the @mariozechner/pi-coding-agent library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant