{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5556", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-04T13:47:01.130Z", "datePublished": "2026-04-05T09:30:15.138Z", "dateUpdated": "2026-04-06T15:29:13.939Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-05T09:30:15.138Z"}, "title": "badlogic pi-mono loader.ts discoverAndLoadExtensions code injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "badlogic", "product": "pi-mono", "versions": [{"version": "0.58.0", "status": "affected"}, {"version": "0.58.1", "status": "affected"}, {"version": "0.58.2", "status": "affected"}, {"version": "0.58.3", "status": "affected"}, {"version": "0.58.4", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in badlogic pi-mono up to 0.58.4. This vulnerability affects the function discoverAndLoadExtensions of the file packages/coding-agent/src/core/extensions/loader.ts. The manipulation leads to code injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-04T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-04T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-04T15:52:05.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Yu Bao (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/355326", "name": "VDB-355326 | badlogic pi-mono loader.ts discoverAndLoadExtensions code injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355326/cti", "name": "VDB-355326 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/782876", "name": "Submit #782876 | badlogic pi-mono 0.58.4 Zero-Click Remote Code Execution", "tags": ["third-party-advisory"]}, {"url": "https://github.com/August829/CVEP/issues/27", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:29:03.670845Z", "id": "CVE-2026-5556", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:29:13.939Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5556", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T15:29:03.670845Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:29:10.035Z"}}], "cna": {"title": "badlogic pi-mono loader.ts discoverAndLoadExtensions code injection", "credits": [{"lang": "en", "type": "reporter", "value": "Yu Bao (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "badlogic", "product": "pi-mono", "versions": [{"status": "affected", "version": "0.58.0"}, {"status": "affected", "version": "0.58.1"}, {"status": "affected", "version": "0.58.2"}, {"status": "affected", "version": "0.58.3"}, {"status": "affected", "version": "0.58.4"}]}], "timeline": [{"lang": "en", "time": "2026-04-04T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-04T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-04T15:52:05.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/355326", "name": "VDB-355326 | badlogic pi-mono loader.ts discoverAndLoadExtensions code injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355326/cti", "name": "VDB-355326 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/782876", "name": "Submit #782876 | badlogic pi-mono 0.58.4 Zero-Click Remote Code Execution", "tags": ["third-party-advisory"]}, {"url": "https://github.com/August829/CVEP/issues/27", "tags": ["exploit", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in badlogic pi-mono up to 0.58.4. This vulnerability affects the function discoverAndLoadExtensions of the file packages/coding-agent/src/core/extensions/loader.ts. The manipulation leads to code injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-05T09:30:15.138Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5556", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:29:13.939Z", "dateReserved": "2026-04-04T13:47:01.130Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-05T09:30:15.138Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in badlogic pi-mono up to 0.58.4. This vulnerability affects the function discoverAndLoadExtensions of the file packages/coding-agent/src/core/extensions/loader.ts. The manipulation leads to code injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-5556", "lastModified": "2026-04-05T10:16:19.520", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-05T10:16:19.520", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/August829/CVEP/issues/27"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/782876"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355326"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355326/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.58.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.58.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.58.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.58.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.58.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "pi-mono", "source": "cna", "vendor": "badlogic"}, "product": "pi-mono", "vendor": "badlogic"}], "analysis": {"en": {"generated_at": "2026-04-05T11:20:40.786669+00:00", "value": {"mitigation_remediation": ["Upgrade badlogic pi-mono to a version newer than 0.58.4.", "If upgrading is not immediately possible, restrict inputs to trusted sources and validate extension names before loading.", "Regularly review the coding-agent component for updates and monitor security advisories from badlogic.", "Consider disabling the discoverAndLoadExtensions functionality if it is not required."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via code injection"}, "threat_synthesis": {"affected_systems": "badlogic pi-mono, versions up to 0.58.4 are affected. Any deployment of the coding-agent component that imports extensions via loader.ts may be vulnerable. Those running the 0.58.4 release or earlier need to upgrade.", "description_and_impact": "The vulnerability in badlogic pi-mono, located in the discoverAndLoadExtensions function of loader.ts, allows attackers to inject arbitrary code through manipulated input. This can lead to remote code execution, compromising the confidentiality, integrity, and availability of the affected system. The weakness corresponds to code injection (CWE-74) and potentially code execution (CWE-94).", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. No EPSS score is published, and the vendor has not released a patch yet. Remote exploitation has been confirmed publicly, so the risk remains real for systems still on vulnerable versions. Attackers can target the application over a network or exposed service that uses discoverAndLoadExtensions, and can subsequently execute arbitrary code."}}}}, "created": "2026-04-06T20:26:23.468716+00:00", "updated": "2026-04-06T21:56:57.842638+00:00", "vendors": ["badlogic", "badlogic$PRODUCT$pi-mono"]}