Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
User must actively initiate repository import (UI:R); scope unchanged within Electron context; limited CIA impact consistent with vendor CVSS 4.0 VC:L/VI:L/VA:L ratings.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was found in tiddly-gittly TidGi-Desktop up to 0.13.0. This impacts an unknown function of the file src/services/wiki/wikiWorker/loadWikiTiddlersWithSubWikis.ts of the component Git Repository Import. The manipulation results in code injection. The attack may be performed from remote. The exploit has been made public and could be used.
AnalysisAI
Code injection in TidGi-Desktop up to version 0.13.0 allows remote attackers to execute arbitrary code through the application's Git Repository Import feature, specifically within the sub-wiki loading worker. The flaw resides in src/services/wiki/wikiWorker/loadWikiTiddlersWithSubWikis.ts, where externally-sourced Git repository content is processed without adequate code-injection safeguards (CWE-94). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim is running TidGi-Desktop version 0.13.0 or earlier AND actively initiates a Git Repository Import operation targeting an attacker-controlled or compromised Git repository. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.5 with AV:N/AC:L/AT:N/PR:N/UI:N places this as network-exploitable with no prerequisites - however, the impact metrics VC:L/VI:L/VA:L indicate limited per-system impact, which is at odds with the 'RCE' tag applied by VulDB. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes or controls a Git repository containing crafted tiddler metadata or content that injects executable code into the processing pipeline of TidGi-Desktop's sub-wiki loader. When a target user opens TidGi-Desktop and imports this attacker-controlled repository via the Git Repository Import feature, the injected payload is evaluated within the application's Node.js runtime context, achieving code execution. … |
| Remediation | Users should consult the GitHub Security Advisory GHSA-9hc2-hjx8-q6pv at https://github.com/tiddly-gittly/TidGi-Desktop/security/advisories/GHSA-9hc2-hjx8-q6pv for the authoritative patch guidance; a specific fixed release version is not independently confirmed from the available references, so users should monitor the project repository at https://github.com/tiddly-gittly/TidGi-Desktop/ for a tagged patched release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41735
GHSA-vv7r-8584-6pm6