Xiaq

**Name of the Vulnerable Software and Affected Versions** Elvish versions prior to 0.14.0 **Description** Elvish is a programming language and interactive shell. The web UI backend, started by `elvish -web`, hosts an endpoint that allows executing code sent from the web UI. However, the backend does not check the origin of requests correctly. This allows a malicious website to send arbitrary code to the endpoint in localhost if the user has the web UI backend open and visits the compromised website. **Recommendations** For versions prior to 0.14.0, the issue can be patched by removing the web UI, found in web, pkg/web, or pkg/prog/web, depending on the exact version. As a temporary workaround, consider not using the experimental web UI until the issue is resolved.