CVE-2026-22813
- Source
- https://cve.org/CVERecord?id=CVE-2026-22813
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22813.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-22813
- Aliases
- Published
- 2026-01-12T22:52:35.103Z
- Modified
- 2026-01-23T05:51:03.629107Z
- Severity
-
- 9.4 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
- Summary
- Malicious website can execute commands on the local system through XSS in the OpenCode web UI
- Details
-
OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10.
- Database specific
{ "cwe_ids": [ "CWE-79" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22813.json" }- References
Affected packages
Git / github.com/anomalyco/opencode
Affected ranges
- Type
- GIT
- Repo
- https://github.com/anomalyco/opencode
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.0.45
0.0.46
0.0.47
Other
github-v1
latest
github-v1.*
github-v1.0.0
github-v1.0.1
github-v1.0.10
github-v1.0.2
github-v1.0.3
github-v1.0.4
github-v1.0.5
github-v1.0.7
github-v1.0.8
github-v1.0.9
github-v1.1.0
github-v1.2.0
github-v1.2.1
github-v1.2.10
github-v1.2.11
github-v1.2.2
github-v1.2.3
github-v1.2.5
github-v1.2.6
github-v1.2.7
github-v1.2.8
github-v1.2.9
v0.*
v0.0.14
v0.0.15
v0.0.16
v0.0.20
v0.0.21
v0.0.22
v0.0.27
v0.0.28
v0.0.29
v0.0.30
v0.0.31
v0.0.32
v0.0.33
v0.0.34
v0.0.35
v0.0.36
v0.0.47
v0.0.48
v0.0.49
v0.0.50
v0.0.51
v0.0.52
v0.0.53
v0.0.54
v0.0.55
v0.1.0
v0.1.0-beta1
v0.1.0-beta2
v0.1.0-beta3
v0.1.1
v0.1.10
v0.1.100
v0.1.101
v0.1.102
v0.1.103
v0.1.104
v0.1.105
v0.1.106
v0.1.107
v0.1.108
v0.1.109
v0.1.11
v0.1.110
v0.1.111
v0.1.112
v0.1.113
v0.1.114
v0.1.115
v0.1.116
v0.1.117
v0.1.118
v0.1.119
v0.1.12
v0.1.120
v0.1.121
v0.1.122
v0.1.123
v0.1.124
v0.1.125
v0.1.126
v0.1.127
v0.1.128
v0.1.129
v0.1.13
v0.1.130
v0.1.131
v0.1.132
v0.1.133
v0.1.134
v0.1.135
v0.1.136
v0.1.137
v0.1.138
v0.1.139
v0.1.14
v0.1.140
v0.1.141
v0.1.142
v0.1.143
v0.1.144
v0.1.145
v0.1.146
v0.1.148
v0.1.149
v0.1.15
v0.1.150
v0.1.151
v0.1.152
v0.1.153
v0.1.154
v0.1.155
v0.1.156
v0.1.157
v0.1.158
v0.1.159
v0.1.16
v0.1.160
v0.1.161
v0.1.162
v0.1.163
v0.1.164
v0.1.165
v0.1.166
v0.1.167
v0.1.168
v0.1.169
v0.1.17
v0.1.170
v0.1.171
v0.1.172
v0.1.173
v0.1.174
v0.1.175
v0.1.176
v0.1.177
v0.1.178
v0.1.179
v0.1.18
v0.1.180
v0.1.181
v0.1.182
v0.1.183
v0.1.184
v0.1.185
v0.1.186
v0.1.187
v0.1.188
v0.1.189
v0.1.19
v0.1.190
v0.1.191
v0.1.192
v0.1.193
v0.1.194
v0.1.195
v0.1.196
v0.1.2
v0.1.21
v0.1.22
v0.1.23
v0.1.24
v0.1.25
v0.1.26
v0.1.27
v0.1.28
v0.1.29
v0.1.3
v0.1.30
v0.1.31
v0.1.32
v0.1.33
v0.1.34
v0.1.35
v0.1.36
v0.1.37
v0.1.38
v0.1.39
v0.1.4
v0.1.40
v0.1.41
v0.1.42
v0.1.43
v0.1.44
v0.1.45
v0.1.46
v0.1.47
v0.1.48
v0.1.49
v0.1.5
v0.1.50
v0.1.51
v0.1.52
v0.1.53
v0.1.54
v0.1.55
v0.1.56
v0.1.57
v0.1.58
v0.1.59
v0.1.6
v0.1.60
v0.1.61
v0.1.62
v0.1.63
v0.1.64
v0.1.65
v0.1.66
v0.1.67
v0.1.68
v0.1.69
v0.1.7
v0.1.70
v0.1.71
v0.1.72
v0.1.73
v0.1.74
v0.1.75
v0.1.76
v0.1.77
v0.1.78
v0.1.79
v0.1.8
v0.1.80
v0.1.81
v0.1.82
v0.1.83
v0.1.84
v0.1.86
v0.1.87
v0.1.88
v0.1.89
v0.1.9
v0.1.90
v0.1.91
v0.1.92
v0.1.93
v0.1.94
v0.1.95
v0.1.97
v0.1.98
v0.1.99
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.11.4
v0.11.5
v0.11.6
v0.11.7
v0.11.8
v0.12.0
v0.12.1
v0.13.2
v0.13.4
v0.13.5
v0.13.6
v0.13.7
v0.13.8
v0.13.9
v0.14.0
v0.14.1
v0.14.3
v0.14.4
v0.14.5
v0.14.6
v0.14.7
v0.15.0
v0.15.1
v0.15.10
v0.15.11
v0.15.12
v0.15.13
v0.15.14
v0.15.15
v0.15.16
v0.15.17
v0.15.18
v0.15.19
v0.15.2
v0.15.20
v0.15.21
v0.15.22
v0.15.23
v0.15.24
v0.15.25
v0.15.26
v0.15.27
v0.15.28
v0.15.29
v0.15.3
v0.15.30
v0.15.31
v0.15.4
v0.15.5
v0.15.6
v0.15.7
v0.15.8
v0.15.9
v0.2.0
v0.2.1
v0.2.10
v0.2.11
v0.2.12
v0.2.13
v0.2.14
v0.2.15
v0.2.16
v0.2.17
v0.2.18
v0.2.19
v0.2.2
v0.2.20
v0.2.21
v0.2.23
v0.2.24
v0.2.25
v0.2.26
v0.2.27
v0.2.28
v0.2.29
v0.2.3
v0.2.30
v0.2.31
v0.2.32
v0.2.33
v0.2.34
v0.2.35
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.2.8
v0.2.9
v0.3.0
v0.3.1
v0.3.10
v0.3.100
v0.3.101
v0.3.102
v0.3.103
v0.3.104
v0.3.105
v0.3.106
v0.3.107
v0.3.108
v0.3.109
v0.3.11
v0.3.110
v0.3.111
v0.3.112
v0.3.113
v0.3.114
v0.3.115
v0.3.116
v0.3.117
v0.3.118
v0.3.119
v0.3.12
v0.3.120
v0.3.121
v0.3.122
v0.3.123
v0.3.126
v0.3.127
v0.3.128
v0.3.129
v0.3.13
v0.3.130
v0.3.131
v0.3.132
v0.3.133
v0.3.14
v0.3.15
v0.3.16
v0.3.17
v0.3.18
v0.3.19
v0.3.2
v0.3.20
v0.3.21
v0.3.22
v0.3.23
v0.3.24
v0.3.25
v0.3.26
v0.3.27
v0.3.28
v0.3.29
v0.3.3
v0.3.30
v0.3.31
v0.3.32
v0.3.33
v0.3.34
v0.3.35
v0.3.36
v0.3.37
v0.3.38
v0.3.39
v0.3.4
v0.3.40
v0.3.41
v0.3.42
v0.3.43
v0.3.44
v0.3.45
v0.3.46
v0.3.47
v0.3.48
v0.3.49
v0.3.5
v0.3.50
v0.3.51
v0.3.52
v0.3.53
v0.3.54
v0.3.55
v0.3.56
v0.3.57
v0.3.58
v0.3.6
v0.3.61
v0.3.62
v0.3.63
v0.3.64
v0.3.65
v0.3.66
v0.3.67
v0.3.68
v0.3.69
v0.3.7
v0.3.70
v0.3.71
v0.3.72
v0.3.73
v0.3.74
v0.3.75
v0.3.76
v0.3.77
v0.3.78
v0.3.79
v0.3.8
v0.3.80
v0.3.82
v0.3.83
v0.3.84
v0.3.86
v0.3.87
v0.3.88
v0.3.9
v0.3.90
v0.3.92
v0.3.93
v0.4.0
v0.4.1
v0.4.10
v0.4.11
v0.4.12
v0.4.15
v0.4.16
v0.4.17
v0.4.18
v0.4.19
v0.4.2
v0.4.20
v0.4.21
v0.4.22
v0.4.23
v0.4.24
v0.4.25
v0.4.26
v0.4.27
v0.4.28
v0.4.29
v0.4.3
v0.4.34
v0.4.36
v0.4.37
v0.4.4
v0.4.40
v0.4.41
v0.4.42
v0.4.43
v0.4.44
v0.4.45
v0.4.5
v0.4.6
v0.5.1
v0.5.10
v0.5.11
v0.5.12
v0.5.13
v0.5.15
v0.5.18
v0.5.2
v0.5.23
v0.5.24
v0.5.25
v0.5.26
v0.5.27
v0.5.28
v0.5.29
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.10
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.6.7
v0.6.8
v0.6.9
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.7.8
v0.7.9
v0.8.0
v0.9.0
v0.9.1
v0.9.10
v0.9.11
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9
v1.*
v1.0.0
v1.0.1
v1.0.10
v1.0.100
v1.0.103
v1.0.104
v1.0.105
v1.0.106
v1.0.107
v1.0.108
v1.0.109
v1.0.11
v1.0.110
v1.0.111
v1.0.112
v1.0.113
v1.0.114
v1.0.115
v1.0.117
v1.0.118
v1.0.119
v1.0.12
v1.0.120
v1.0.121
v1.0.122
v1.0.123
v1.0.124
v1.0.125
v1.0.126
v1.0.127
v1.0.128
v1.0.129
v1.0.13
v1.0.130
v1.0.131
v1.0.132
v1.0.133
v1.0.134
v1.0.137
v1.0.138
v1.0.14
v1.0.141
v1.0.142
v1.0.143
v1.0.144
v1.0.145
v1.0.146
v1.0.147
v1.0.148
v1.0.149
v1.0.15
v1.0.150
v1.0.151
v1.0.152
v1.0.153
v1.0.154
v1.0.155
v1.0.156
v1.0.157
v1.0.158
v1.0.159
v1.0.16
v1.0.160
v1.0.161
v1.0.162
v1.0.164
v1.0.165
v1.0.166
v1.0.167
v1.0.168
v1.0.169
v1.0.17
v1.0.170
v1.0.171
v1.0.172
v1.0.173
v1.0.174
v1.0.175
v1.0.176
v1.0.177
v1.0.178
v1.0.179
v1.0.18
v1.0.180
v1.0.181
v1.0.182
v1.0.183
v1.0.184
v1.0.185
v1.0.186
v1.0.187
v1.0.188
v1.0.189
v1.0.19
v1.0.190
v1.0.191
v1.0.192
v1.0.193
v1.0.194
v1.0.195
v1.0.196
v1.0.197
v1.0.198
v1.0.199
v1.0.2
v1.0.20
v1.0.200
v1.0.201
v1.0.202
v1.0.203
v1.0.204
v1.0.205
v1.0.206
v1.0.207
v1.0.208
v1.0.209
v1.0.21
v1.0.210
v1.0.211
v1.0.212
v1.0.213
v1.0.214
v1.0.215
v1.0.216
v1.0.217
v1.0.218
v1.0.219
v1.0.22
v1.0.220
v1.0.221
v1.0.222
v1.0.223
v1.0.224
v1.0.23
v1.0.24
v1.0.25
v1.0.26
v1.0.27
v1.0.28
v1.0.29
v1.0.3
v1.0.30
v1.0.31
v1.0.32
v1.0.33
v1.0.34
v1.0.35
v1.0.36
v1.0.37
v1.0.39
v1.0.4
v1.0.40
v1.0.41
v1.0.43
v1.0.44
v1.0.45
v1.0.46
v1.0.47
v1.0.48
v1.0.49
v1.0.5
v1.0.50
v1.0.51
v1.0.53
v1.0.54
v1.0.55
v1.0.57
v1.0.58
v1.0.59
v1.0.6
v1.0.60
v1.0.61
v1.0.62
v1.0.63
v1.0.64
v1.0.65
v1.0.66
v1.0.67
v1.0.68
v1.0.69
v1.0.7
v1.0.70
v1.0.71
v1.0.72
v1.0.73
v1.0.74
v1.0.75
v1.0.76
v1.0.77
v1.0.78
v1.0.79
v1.0.8
v1.0.80
v1.0.81
v1.0.82
v1.0.83
v1.0.84
v1.0.85
v1.0.86
v1.0.87
v1.0.88
v1.0.89
v1.0.9
v1.0.90
v1.0.91
v1.0.92
v1.0.93
v1.0.94
v1.0.95
v1.0.97
v1.0.98
v1.0.99
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
vscode-v0.*
vscode-v0.0.1
vscode-v0.0.10
vscode-v0.0.11
vscode-v0.0.12
vscode-v0.0.13
vscode-v0.0.2
vscode-v0.0.3
vscode-v0.0.4
vscode-v0.0.5
vscode-v0.0.6
vscode-v0.0.7
vscode-v0.0.8
vscode-v0.0.9