Platform
nodejs
Component
pi-mono
Fixed in
0.58.1
0.58.2
0.58.3
0.58.4
0.58.5
A code injection vulnerability has been identified in the pi-mono Node.js package, affecting versions from 0.58.0 through 0.58.4. This flaw resides within the discoverAndLoadExtensions function of the packages/coding-agent/src/core/extensions/loader.ts file, allowing attackers to inject arbitrary code. Remote exploitation is possible, and a public exploit has already been disclosed, posing a significant risk to systems utilizing this package.
Successful exploitation of CVE-2026-5556 allows an attacker to execute arbitrary code on the system running the vulnerable pi-mono package. This could lead to complete system compromise, including data theft, modification, or destruction. Given the Node.js environment, this vulnerability could impact web applications, backend services, and any other application leveraging pi-mono. The ability to execute code remotely significantly expands the attack surface and potential blast radius, potentially affecting multiple systems and users depending on the application's architecture and deployment.
This vulnerability has been publicly disclosed, and a proof-of-concept exploit is available. This significantly increases the likelihood of exploitation. The vulnerability is currently not listed on the CISA KEV catalog, but its public nature warrants close monitoring. The vendor has not responded to early disclosure attempts, which may indicate a slower response to remediation efforts.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
The primary mitigation for CVE-2026-5556 is to upgrade to a patched version of pi-mono. As of this writing, no patched version has been released. Until a patch is available, consider temporarily disabling or removing the packages/coding-agent/src/core/extensions/loader.ts module if possible. Implementing strict input validation and sanitization for any data passed to the discoverAndLoadExtensions function can also help reduce the risk. Monitor Node.js application logs for suspicious activity related to file loading or code execution.
Update the pi-mono package to a patched version. Consult the vendor's sources for details on patched versions and upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5556 is a code injection vulnerability in the pi-mono Node.js package, affecting versions 0.58.0–0.58.4. It allows attackers to inject malicious code via the discoverAndLoadExtensions function.
You are affected if your project uses pi-mono version 0.58.0 through 0.58.4. Check your package.json file to confirm the version.
Upgrade to a patched version of pi-mono. As of now, no patch is available. Until a patch is released, consider disabling the vulnerable module or implementing input validation.
Yes, a public exploit is available, indicating a high probability of active exploitation.
Check the pi-mono project's GitHub repository and associated documentation for updates and advisories. The vendor has not yet responded to disclosure attempts.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.