CVE-2026-22813

Localhost to RCE: Poisoning the AI's Brain with CVE-2026-22813

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 14, 2026·6 min read·4 visits

Executive Summary (TL;DR)

OpenCode, a popular open-source AI coding assistant, failed to sanitize Markdown output from LLMs in its web UI. By tricking a user into connecting their local agent to a malicious server, an attacker can inject JavaScript that pivots from XSS to full RCE, leveraging the agent's native ability to execute shell commands.

A critical Cross-Site Scripting (XSS) vulnerability in the OpenCode AI agent allows attackers to achieve Remote Code Execution (RCE) by hijacking the local web interface via unsanitized Markdown rendering.

Official Patches

AnomalyCoGitHub Security Advisory and Patch Notes

Technical Appendix

CVSS Score
9.4/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
EPSS Probability
0.08%
Top 77% most exploited

Affected Systems

OpenCode AI Agent

Affected Versions Detail

Product
Affected Versions
Fixed Version
OpenCode
AnomalyCo
< 1.1.101.1.10
AttributeDetail
CWE IDCWE-79
CVSS Score9.4 (Critical)
Attack VectorNetwork
Privileges RequiredNone
User InteractionRequired (Clicking link)
EPSS Score0.00078
Exploit StatusPoC Available

MITRE ATT&CK Mapping

T1189Drive-by Compromise
Initial Access
T1204User Execution
Execution
T1059.007Command and Scripting Interpreter: JavaScript
Execution
CWE-79
Cross-site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Known Exploits & Detection

Internal ResearchExploit chain demonstrating XSS to RCE via server override

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.