RCE in Badlogic Pi-mono
CVE-2026-5533
A vulnerability was determined in badlogic pi-mono 0.58.4. The impacted element is an unknown function of the file packages/web-ui/src/tools/artifacts/SvgArtifact.ts of the component SVG Artifact Handler. This manipulation causes cross sit…
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.000 (11.1th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 4.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N.
Affected products
- Badlogic Pi-mono — versions 0.58.4
Weakness classification (CWE)
References
- VDB-355286 | badlogic pi-mono SVG Artifact SvgArtifact.ts cross site scripting (vdb-entry)
- VDB-355286 | CTI Indicators (IOB, IOC, TTP, IOA) (signature, permissions-required)
- Submit #782170 | Mario Zechner pi-mono 0.58.4 SVG Artifact Stored XSS Leading to Credential Theft (third-party-advisory)
- cna@vuldb.com (issue-tracking, exploit)
Frequently asked questions
- What is CVE-2026-5533?
- CVE-2026-5533 is a medium-severity vulnerability in Badlogic Pi-mono, classified under Cross-site Scripting. CVSS score: 4.3/10. Published 2026-04-05.
- How severe is CVE-2026-5533?
- Medium severity. CVSS v3 base score is 4.3 out of 10.