CVE-2026-22813 is a critical security vulnerability classified as CWE-79 (Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting or XSS) found in the anomalyco OpenCode product, an open source AI coding agent. The vulnerability arises from the markdown renderer component used to display responses generated by the large language model (LLM) within the OpenCode web interface. Specifically, the renderer inserts arbitrary HTML content directly into the Document Object Model (DOM) without any sanitization mechanisms such as DOMPurify or the enforcement of a Content Security Policy (CSP). This lack of sanitization allows an attacker who can control the LLM's response in a chat session to inject and execute arbitrary JavaScript code within the context of the http://localhost:4096 origin. Because the origin is localhost, this can lead to significant security implications including theft of sensitive data, manipulation of the local application state, or further exploitation of the local environment. The vulnerability does not require any privileges or authentication to exploit but does require user interaction to trigger the malicious script execution. The vulnerability affects all OpenCode versions prior to 1.1.10, where it has been fixed. The CVSS 4.0 base score of 9.4 reflects the critical nature of this flaw, highlighting its network attack vector, low attack complexity, no privileges required, user interaction needed, and high impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild, the potential for exploitation is significant given the widespread use of AI coding tools and the sensitive nature of local development environments.

For European organizations, the impact of CVE-2026-22813 can be substantial, particularly for those integrating OpenCode into their AI development workflows or using it as part of local coding environments. Successful exploitation could lead to unauthorized code execution on developer machines, potentially exposing sensitive intellectual property, credentials, or internal network information. This could facilitate lateral movement within corporate networks or enable supply chain attacks if compromised code is pushed to production. The vulnerability’s exploitation on localhost means that attackers might leverage social engineering or malicious LLM prompts to trick users into executing harmful scripts. Given the critical CVSS score, the risk to confidentiality, integrity, and availability is high. Organizations relying on OpenCode for AI-assisted coding without proper mitigations could face data breaches, code integrity violations, or disruption of development processes. The lack of a CSP and sanitization also indicates a broader security design weakness that could be exploited in other ways if not addressed.

To mitigate CVE-2026-22813, European organizations should immediately upgrade all OpenCode deployments to version 1.1.10 or later, where the vulnerability is patched. Additionally, implement strict Content Security Policies (CSP) on the OpenCode web interface to restrict the execution of unauthorized scripts and reduce the risk of XSS attacks. Incorporate robust input sanitization libraries such as DOMPurify to cleanse any HTML content rendered by the markdown renderer, preventing injection of malicious scripts. Conduct thorough code reviews and security testing of any custom integrations with OpenCode to ensure no additional injection vectors exist. Educate developers and users about the risks of interacting with untrusted LLM responses and enforce strict operational security policies around AI coding tools. Monitor local environments for suspicious activity and consider isolating AI coding tools in sandboxed environments to limit potential damage from exploitation. Finally, maintain up-to-date threat intelligence feeds to detect any emerging exploits targeting this vulnerability.