CVE-2026-22813 is a critical security vulnerability classified as CWE-79 (Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting or XSS) found in the anomalyco OpenCode product, an open-source AI coding agent. The vulnerability arises from the markdown renderer component used to display responses from large language models (LLMs). This renderer directly inserts arbitrary HTML content into the Document Object Model (DOM) without applying any sanitization mechanisms such as DOMPurify or enforcing a Content Security Policy (CSP). Consequently, if an attacker can control or influence the LLM's response during a chat session, they can inject malicious JavaScript code that executes within the security context of the localhost web interface (http://localhost:4096). This local origin execution can lead to theft of sensitive data, manipulation of the user interface, or further exploitation of the host system. The vulnerability affects all OpenCode versions prior to 1.1.10, where the issue has been addressed. The CVSS 4.0 score of 9.4 indicates a critical severity, with an attack vector of network (remote), no privileges required, no user interaction needed beyond initiating the chat session, and a high impact on confidentiality, integrity, and availability. Although no public exploits have been reported, the nature of the vulnerability makes it a significant risk, especially in environments where OpenCode is used for development or automation tasks. The lack of CSP and sanitization is a fundamental security oversight that allows arbitrary script execution, which can be leveraged for session hijacking, data exfiltration, or pivoting attacks on the host machine.

For European organizations, the impact of CVE-2026-22813 can be substantial, particularly for those integrating OpenCode into their development pipelines or AI-assisted coding environments. Successful exploitation could lead to unauthorized code execution on developer machines, potentially exposing sensitive source code, credentials, or internal APIs. This could compromise intellectual property and lead to further lateral movement within corporate networks. The vulnerability’s exploitation on localhost reduces the attack surface to users interacting with the vulnerable interface, but social engineering or supply chain attacks could trick users into triggering malicious LLM responses. Given the critical CVSS score, the risk to confidentiality, integrity, and availability is high. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and critical infrastructure, may face regulatory and compliance repercussions if exploited. Additionally, the AI coding agent’s role in automating code generation means that malicious script injection could propagate insecure code or backdoors into production systems, amplifying the threat.

1. Immediate upgrade to OpenCode version 1.1.10 or later, where the vulnerability is patched. 2. Implement strict Content Security Policies (CSP) on the localhost web interface to restrict script execution sources and mitigate the impact of any injected scripts. 3. Integrate robust HTML sanitization libraries such as DOMPurify to cleanse any user or LLM-generated content before rendering it in the DOM. 4. Limit access to the OpenCode web interface to trusted users and networks, employing network segmentation and firewall rules to reduce exposure. 5. Educate developers and users about the risks of interacting with untrusted LLM responses and encourage verification of AI-generated content. 6. Monitor logs and network traffic for unusual activity related to the OpenCode interface, including unexpected script execution or data exfiltration attempts. 7. Consider running OpenCode in isolated environments or containers to contain potential exploitation impact. 8. Regularly review and update security configurations and dependencies to prevent similar vulnerabilities.