Medium severity4.3NVD Advisory· Published Apr 5, 2026· Updated Apr 29, 2026

CVE-2026-5533

Description

A vulnerability was determined in badlogic pi-mono 0.58.4. The impacted element is an unknown function of the file packages/web-ui/src/tools/artifacts/SvgArtifact.ts of the component SVG Artifact Handler. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A cross-site scripting vulnerability in pi-mono 0.58.4's SVG Artifact Handler allows remote attackers to inject arbitrary web scripts.

Vulnerability

Description The vulnerability resides in the SvgArtifact.ts file of the packages/web-ui/src/tools/artifacts directory within the pi-mono project version 0.58.4. The issue stems from improper neutralization of user input during SVG artifact handling, leading to reflected or stored cross-site scripting (XSS). The vendor, badlogic, was contacted but did not respond [1].

Exploitation

The attack vector is remote and does not require authentication. By crafting a malicious SVG artifact containing JavaScript payloads, an attacker can inject and execute arbitrary code in the context of the affected web application. The exploit has been publicly disclosed, increasing the risk of active exploitation [1].

Impact

Successful exploitation could allow an attacker to steal session cookies, access sensitive data, perform actions on behalf of the victim, or deface the application. Given the medium CVSS v3 base score of 4.3, the impact is limited but the public availability of exploit details elevates the practical risk [1].

Mitigation

As of this writing, no patch or vendor advisory has been released. Users should consider disabling the SVG artifact handler or implementing strict input validation and output encoding as a temporary workaround. Monitoring for updates from the vendor or community forks is recommended [1].

References

58ead8e7e02026014

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.28low

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-5533

Credits

YB
Yu Bao (VulDB User)
reporter
VC
VulDB CNA Team
coordinator