CriticalPublic exploit

OpenCode localhost web UI XSS leading to local command execution

IdentifiersCVE-2026-22813CWE-79· Improper Neutralization of Input…

CVE-2026-22813 is a cross-site scripting vulnerability in OpenCode, an open source AI coding agent. The OpenCode web interface renders LLM/chat markdown responses and inserts arbitrary HTML into the DOM without sanitization, and the interface also lacks a Content Security Policy sufficient to prevent script execution. As described in the provided content, an attacker who can control an LLM response in a chat session, including via the web UI's server URL override feature, can inject malicious HTML/JavaScript that executes in the security context of the OpenCode web UI origin at http://localhost:4096. Because that origin has access to the local OpenCode API, the XSS can be used to issue requests to sensitive localhost endpoints and bridge from browser script execution to local system command execution. The issue is reported fixed in OpenCode 1.1.10.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows attacker-controlled JavaScript to execute in the OpenCode localhost web UI origin and interact with the local OpenCode API. Per the supplied context, this can be used to access endpoints that spawn arbitrary processes, resulting in arbitrary command execution on the victim developer workstation. The practical impact is full compromise of the local system in the context available to the OpenCode process/user, enabling execution of malicious code, access to local resources exposed through the API, and follow-on workstation compromise.

Mitigation

If you can’t patch tonight, do this now.

Apply the vendor update immediately. Until patched, reduce exposure by disabling or avoiding the vulnerable web UI where possible, preventing untrusted content from being rendered in chat sessions, and avoiding use of the server URL override behavior referenced in the exploit chain. Restrict access to the localhost OpenCode interface/API from the browser environment as much as operationally possible. Because any XSS in the localhost UI is high impact, minimizing or disabling the local web interface is the most effective temporary mitigation short of upgrading.

Remediation

Patch, then assume compromise.

Upgrade OpenCode / the npm package opencode-ai to version 1.1.10 or later, which is identified in the provided content as the fixed version. The supporting advisory also notes a server-side change to stop honoring the ?url= server URL override parameter, removing the specific XSS vector described. More generally, remediation should include proper HTML sanitization of rendered LLM output and enforcement of a restrictive CSP in the web UI.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AnomaOpencodeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

security online infoNews

Jan 14, 2026

Critical OpenCode Flaws Let Websites Hijack Your PC

A critical XSS-to-localhost Remote Code Execution chain in the OpenCode agent web UI that allows a malicious website to inject JavaScript and then call the local OpenCode API on localhost to spawn arbitrary processes on the developer workstation.

cvefeed high severityNews

Jan 12, 2026

CVE-2026-22813 - Malicious website can execute commands on the local system through XSS in the OpenCode web UI

A critical HTML injection / XSS issue in OpenCode’s web UI markdown rendering of LLM responses that allows arbitrary JavaScript execution in the localhost web UI origin, enabling command execution on the local system via the UI context.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-22813

NVD

nvd.nist.gov/vuln/detail/CVE-2026-22813

MITRE CWE · CWE-79

Improper Neutralization of Input During Web…

Vendor Advisory

github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp