{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22813", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-09T22:50:10.288Z", "datePublished": "2026-01-12T22:52:35.103Z", "dateUpdated": "2026-01-13T19:07:23.038Z"}, "containers": {"cna": {"title": "Malicious website can execute commands on the local system through XSS in the OpenCode web UI", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp"}], "affected": [{"vendor": "anomalyco", "product": "opencode", "versions": [{"version": "< 1.1.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-12T22:52:35.103Z"}, "descriptions": [{"lang": "en", "value": "OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10."}], "source": {"advisory": "GHSA-c83v-7274-4vgp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T14:13:29.936632Z", "id": "CVE-2026-22813", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T19:07:23.038Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22813", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-13T14:13:29.936632Z"}}}], "references": [{"url": "https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T14:13:32.507Z"}}], "cna": {"title": "Malicious website can execute commands on the local system through XSS in the OpenCode web UI", "source": {"advisory": "GHSA-c83v-7274-4vgp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "anomalyco", "product": "opencode", "versions": [{"status": "affected", "version": "< 1.1.10"}]}], "references": [{"url": "https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp", "name": "https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-12T22:52:35.103Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22813", "state": "PUBLISHED", "dateUpdated": "2026-01-13T19:07:23.038Z", "dateReserved": "2026-01-09T22:50:10.288Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-12T22:52:35.103Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:anoma:opencode:*:*:*:*:*:-:*:*", "matchCriteriaId": "521FFCAB-C7CA-4867-9674-B8AF2637091E", "versionEndExcluding": "1.1.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10."}], "id": "CVE-2026-22813", "lastModified": "2026-01-21T15:15:35.597", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-12T23:15:53.523", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:54:30.219624+00:00", "value": {"mitigation_remediation": ["Upgrade AnomalyCo OpenCode to version 1.1.10 or later, which removes the unsanitized markdown renderer.", "If an upgrade is not immediately possible, configure the browser or web server to enforce a strict Content Security Policy that blocks JavaScript execution from untrusted sources.", "Alternatively, disable markdown rendering for LLM responses or replace the renderer with a sanitizing library such as DOMPurify to strip HTML tags before insertion.", "Avoid exposing the OpenCode web UI to untrusted network traffic; restrict access to localhost or enforce network segmentation."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via unfiltered XSS"}, "threat_synthesis": {"affected_systems": "All publicly released versions of AnomalyCo OpenCode from the beginning until 1.1.10 are affected. The vendor acknowledges a fix in version 1.1.10; any deployment running an earlier version, particularly default local installations, must be updated.", "description_and_impact": "The vulnerability in OpenCode allows an attacker to inject arbitrary HTML into markdown rendered by the web UI without sanitization or CSP. By manipulating the LLM response in a chat session, an attacker can cause malicious JavaScript to execute within the http://localhost:4096 origin, enabling remote code execution on the local machine. This flaw is a classic reflected cross\u2011site scripting flaw (CWE\u201179) that can lead to execution of arbitrary commands, theft of local credentials, or installation of malware, compromising confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "The CVSS score of 9.4 identifies this issue as Critical, and the low EPSS score (<1%) suggests that exploitation is not currently widespread. However the vulnerability is not cataloged in CISA's KEV, indicating that no public exploits are known at this time. The likely attack path involves tricking a user into visiting a malicious site that can feed the LLM with crafted prompts to trigger the injection. Because the JavaScript runs in the local origin, any privileges the local user holds will be granted to the attacker, making the risk significant especially for administrators. An attacker with remote code execution capabilities can compromise the entire machine."}}}}, "created": "2026-01-13T09:27:26.220097+00:00", "updated": "2026-04-18T07:00:11.351118+00:00", "vendors": ["anomalyco", "anomalyco$PRODUCT$opencode"]}