EUVD-2026-38845

In the Linux kernel, the following vulnerability has been resolved: futex: Prevent lockup in requeue-PI during signal/ timeout wakeup During wait-requeue-pi task A and requeue-PI task B the following race can happen: Task A Task B futexwaitrequeuepi futexsetuptimer futexdowait futexrequeue CLASSh...

Pi-hole Reflected XSS in 404-Error Page

Pi-hole Admin Interface = 6.2.1 contains a reflected XSS vulnerability on the 404 error page. The URL path is reflected unsanitized into the class attribute of the body tag, allowing attribute injection via a crafted URL to execute arbitrary JavaScript in victim browsers. id: CVE-2025-53533 info:...

CVE-2026-54326

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi HTML exports render session Markdown into a static HTML file. It did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass th...

CVE-2026-54327

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only...

CVE-2026-54327

The Pi credential storage vulnerability (CVE-2026-54327) stems from a race in the auth.json write path. Between file creation/writes and the subsequent permission tightening, auth.json could be created or rewritten with permissions derived from the process umask, briefly exposing stored API keys ...

CVE-2026-54326

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi HTML exports render session Markdown into a static HTML file. It did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass th...

CVE-2026-54326 Pi: Potential XSS in HTML session exports via Markdown URL sanitization bypass

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi HTML exports render session Markdown into a static HTML file. It did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass th...

CVE-2026-54328 Pi: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a local attacker who can write to the shared temporary...

CVE-2026-54325

Pi loads project-local extensions without approval in versions before 0.79.0. Before 0.79.0, startup could pull in repository-specific resources from a .pi directory, including executable project-local extensions (TypeScript/JavaScript modules) that run inside the Pi process. An attacker controll...

CVE-2026-54325

Pi is a minimal terminal coding harness. Pi before 0.79.0 loaded project-local configuration and resources from a repository's .pi directory without first asking the user to trust that repository. This included project-local extensions, which are executable TypeScript or JavaScript modules loaded...

ROOT-APP-PYPI-CVE-2025-69224 CVE-2025-69224 in rootio-aiohttp - Patched by Root

Root has patched CVE-2025-69224 in the rootio-aiohttp package for Root:PyPI. Multiple fixed versions available...

Astra Linux – Vulnerabilities in Linux, Linux-5.15, Linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: Input: raspberrypi-ts – fixed the reference count leak in rpitsprobe. The rpifirmwareget function takes a reference; we need to release it in error paths as well. Use the devmrpifirmwareget helper to handle resources. Also,...

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15, Linux 6.1

In the Linux kernel, the following vulnerabilities have been resolved: mailbox: bcm2835: Fixed timeout during suspend mode During the noirq suspend phase, the Raspberry Pi power driver experiences firmware property timeouts. The reason is that the IRQ of the underlying BCM2835 mailbox is disabled...

Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerabilities have been resolved: drm/vc4: Do not check if plane-state-fb == state-fb Currently, when using non-blocking commits, the following kernel warnings can be observed: 110.908514 ------------ Cut here ------------ 110.908529 refcountt: Underflow; Use...

PT-2026-50493

Name of the Vulnerable Software and Affected Versions @mariozechner/pi-coding-agent versions 0.28.0 through 0.73.1 @earendil-works/pi-coding-agent versions 0.74.0 through 0.78.0 Description A race condition in the file write path of the credential storage implementation allows the auth.json file,...

CVE-2026-44693

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based web server. This iss...

CVE-2026-44693

Pi-hole FTL contains a race condition in the HTTP session management subsystem (global session buffer) introduced with the v6.0 CivetWeb rewrite, allowing unauthenticated session hijacking. It affects versions prior to 6.6.1 and is patched in 6.6.1. CVSS v3.1 is 8.8 (Network, Privileges None, Use...

CVE-2026-44693 Pi-hole FTL: Unauthenticated Session Hijacking via Race Condition on Global Session Buffer

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based web server. This iss...

CVE-2026-44693 Pi-hole FTL: Unauthenticated Session Hijacking via Race Condition on Global Session Buffer

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based web server. This iss...

EUVD-2026-36194

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based web server. This iss...