CVE-2026-54328
Pi: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts
CVSS Score
7.3
EPSS Score
0.0%
EPSS Percentile
0th
Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a local attacker who can write to the shared temporary directory could prepare the expected package location before another user runs pi with a temporary extension package source. Pi could then load attacker-controlled extension code in the victim user's process. This vulnerability is fixed in 0.78.1.
| CWE | CWE-379 |
| Vendor | earendil-works |
| Product | pi |
| Published | Jun 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for earendil-works pi
Be the first to know when new high vulnerabilities affecting earendil-works pi are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
earendil-works / pi
>= 0.74.0, < 0.78.1
References
github.com: https://github.com/earendil-works/pi/security/advisories/GHSA-jfgx-wxx8-mp94 github.com: https://github.com/earendil-works/pi/pull/5345 github.com: https://github.com/earendil-works/pi/commit/a98e087e5d08ea2a536bf73dbb0aebb87c3ef72e github.com: https://github.com/earendil-works/pi/commit/ea3465a8e371a12d0167a06b60f93878e3a3df44 github.com: https://github.com/earendil-works/pi/releases/tag/v0.78.1