CVE-2026-22813 is a critical vulnerability identified in Anoma's OpenCode, an open-source AI coding agent. This vulnerability allows for the insertion of arbitrary HTML into the Document Object Model (DOM) via the markdown renderer utilized for Large Language Model (LLM) responses. The lack of sanitization through DOMPurify or the absence of a Content Security Policy (CSP) on the web interface presents a significant risk, as it enables JavaScript execution through HTML injection on the localhost interface. The vulnerability is particularly concerning as it could lead to unauthorized command execution within a chat session environment.
The CVSS score for this vulnerability is 9.4, indicating a critical severity level. This high score is attributed to various factors including the attack vector being network-based, the low complexity of the attack, and the high impact on confidentiality, integrity, and availability. Organizations utilizing Anoma's OpenCode should be particularly vigilant, as exploitation could lead to severe security breaches.
As of the latest update on January 21, 2026, the vulnerability remains unpatched in versions prior to 1.1.10. Organizations must prioritize remediation efforts, as the exploitation potential is significant. Given the nature of the vulnerability, it is crucial for organizations to act promptly to mitigate risks.
Risk to organizations includes potential unauthorized access and manipulation of code execution in local environments, which could expose sensitive data or lead to further attacks. Organizations should prioritize patching immediately.
Vulnerability Details
OpenCode is an open-source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in version 1.1.10.
Technical Analysis
The root cause of this vulnerability lies in the lack of input validation and output encoding within the markdown renderer. As a result, an attacker could inject malicious scripts through the markdown input, which would then be executed in the context of the user’s browser. The attack vector is network-based, requiring no specific privileges, and it only requires passive user interaction for exploitation.
The attack complexity is low, making it accessible to a wide range of potential attackers. The impacts on confidentiality, integrity, and availability are high, indicating that successful exploitation could lead to significant breaches affecting user data and application functionality.
Risk & Impact Analysis
The real-world deployment risk associated with CVE-2026-22813 is substantial. Given its critical CVSS score of 9.4, organizations using OpenCode must recognize the potential for severe consequences, including unauthorized access to sensitive information and control over the local environment. The blast radius of this vulnerability could extend beyond initial targets, potentially impacting interconnected systems and users.
Organizations should assess their exposure and prioritize this vulnerability in their patching cycles. The urgency for remediation is critical due to the high likelihood of exploitation in the wild.
Signal | Status |
|---|---|
Known Exploit | Yes |
Public PoC | Yes |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
All versions prior to 1.1.10 of Anoma's OpenCode are affected by this vulnerability. It is imperative for users to upgrade to this version to mitigate the risks associated with this vulnerability.
Mitigation & Remediation
To remediate CVE-2026-22813, organizations should immediately upgrade to version 1.1.10 or later of OpenCode. If an upgrade is not feasible, consider implementing a web application firewall (WAF) to filter out potentially malicious input and establish stricter content security policies. Additionally, reviewing and enhancing input validation and output encoding practices can help mitigate the risk of similar vulnerabilities in the future.
For effective security posture, organizations should validate remediation effectiveness through penetration testing to identify similar weaknesses.
Detection Guidance
Monitoring for anomalies in interactions with the markdown rendering service is crucial. Look for unusual patterns in HTML output and unexpected JavaScript execution. Log any occurrences of HTML injection attempts and configure alerting mechanisms for abnormal activities that indicate potential exploitation.
AppSecure Threat Intelligence Insight
CVE-2026-22813 highlights critical vulnerabilities associated with the integration of AI in development tools. It underscores the importance of rigorous input validation and output encoding to prevent attacks such as cross-site scripting (XSS). Security teams should proactively engage in testing their systems for similar vulnerabilities, as the landscape of AI-related threats continues to evolve.
To further enhance security measures, organizations can explore AI penetration testing methodologies and adapt their strategies accordingly.
Lastly, organizations should stay informed of emerging vulnerabilities through resources such as vulnerability management programs that can help in identifying and addressing security gaps.
As the threat landscape evolves, the integration of proactive security assessments will be key to maintaining a robust security posture.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)