Skip to main content

TidGi-Desktop CVE-2026-14722

| EUVDEUVD-2026-41735 MEDIUM
Code Injection (CWE-94)
2026-07-05 VulDB GHSA-vv7r-8584-6pm6
5.5
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

User must actively initiate repository import (UI:R); scope unchanged within Electron context; limited CIA impact consistent with vendor CVSS 4.0 VC:L/VI:L/VA:L ratings.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 05, 2026 - 08:34 vuln.today
CVSS changed
Jul 05, 2026 - 08:22 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)

DescriptionCVE.org

A vulnerability was found in tiddly-gittly TidGi-Desktop up to 0.13.0. This impacts an unknown function of the file src/services/wiki/wikiWorker/loadWikiTiddlersWithSubWikis.ts of the component Git Repository Import. The manipulation results in code injection. The attack may be performed from remote. The exploit has been made public and could be used.

AnalysisAI

Code injection in TidGi-Desktop up to version 0.13.0 allows remote attackers to execute arbitrary code through the application's Git Repository Import feature, specifically within the sub-wiki loading worker. The flaw resides in src/services/wiki/wikiWorker/loadWikiTiddlersWithSubWikis.ts, where externally-sourced Git repository content is processed without adequate code-injection safeguards (CWE-94). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts malicious Git repository with injected tiddler payload
Delivery
Target user opens TidGi-Desktop ≤0.13.0
Exploit
User initiates Git Repository Import for attacker-controlled repo
Execution
loadWikiTiddlersWithSubWikis.ts processes crafted content without sanitization
Persist
Injected code executes in Electron Node.js runtime context
Impact
Attacker achieves arbitrary code execution on victim host

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim is running TidGi-Desktop version 0.13.0 or earlier AND actively initiates a Git Repository Import operation targeting an attacker-controlled or compromised Git repository. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.5 with AV:N/AC:L/AT:N/PR:N/UI:N places this as network-exploitable with no prerequisites - however, the impact metrics VC:L/VI:L/VA:L indicate limited per-system impact, which is at odds with the 'RCE' tag applied by VulDB. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes or controls a Git repository containing crafted tiddler metadata or content that injects executable code into the processing pipeline of TidGi-Desktop's sub-wiki loader. When a target user opens TidGi-Desktop and imports this attacker-controlled repository via the Git Repository Import feature, the injected payload is evaluated within the application's Node.js runtime context, achieving code execution. …
Remediation Users should consult the GitHub Security Advisory GHSA-9hc2-hjx8-q6pv at https://github.com/tiddly-gittly/TidGi-Desktop/security/advisories/GHSA-9hc2-hjx8-q6pv for the authoritative patch guidance; a specific fixed release version is not independently confirmed from the available references, so users should monitor the project repository at https://github.com/tiddly-gittly/TidGi-Desktop/ for a tagged patched release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14722 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy