Is there a public PoC exploit available for EUVD-2026-19015?

Yes, a public proof-of-concept exploit is available for EUVD-2026-19015. Prioritise patching immediately. EPSS: 0.0%.

Pi Mono EUVD-2026-19015

Q: What is the CVSS score of EUVD-2026-19015?

EUVD-2026-19015 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-5533 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-04-05 VulDB

GHSA-87fw-5q57-v2v9

XSS Pi Mono

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

5.3 (MEDIUM) 2.1 (LOW)

PoC Detected

Apr 07, 2026 - 13:20 vuln.today

Public exploit code

EUVD ID Assigned

Apr 05, 2026 - 01:45 euvd

EUVD-2026-19015

Analysis Generated

Apr 05, 2026 - 01:45 vuln.today

CVE Published

Apr 05, 2026 - 01:30 nvd

MEDIUM 5.3

DescriptionCVE.org

A vulnerability was determined in badlogic pi-mono 0.58.4. The impacted element is an unknown function of the file packages/web-ui/src/tools/artifacts/SvgArtifact.ts of the component SVG Artifact Handler. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site scripting (XSS) in badlogic pi-mono 0.58.4 SVG Artifact Handler allows unauthenticated remote attackers to inject malicious scripts via the SvgArtifact.ts component, affecting application integrity when users interact with crafted SVG artifacts. Publicly available exploit code exists, and the vendor has not responded to disclosure despite early notification.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents moderate real-world risk with low CVSS severity (4.3) but elevated exploitation probability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker uploads or shares a specially crafted SVG artifact containing embedded JavaScript through the pi-mono web interface. When a victim user views or previews the artifact, the malicious script executes in their browser session, potentially stealing session cookies, modifying page content, or redirecting the user to a phishing site. …
Remediation	No vendor-released patch identified at time of analysis; the vendor has not responded to disclosure efforts. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-19015 vulnerability details – vuln.today

Back