CVE

CVE-2026-22792

5ire vulnerable to Remote Code Execution (RCE)

CVE

CVE-2026-22792

5ire vulnerable to Remote Code Execution (RCE)

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML (including on* event attributes) to execute in the renderer context. An attacker can inject an <img onerror=...> payload to run arbitrary JavaScript in the renderer, which can call exposed bridge APIs such as window.bridge.mcpServersManager.createServer. This enables unauthorized creation of MCP servers and lead to remote command execution. Version 0.15.3 fixes the issue.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

9.6

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22792.json, https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3, https://github.com/nanbingxyz/5ire/security/advisories/GHSA-p5fm-wm8g-rffx, https://nvd.nist.gov/vuln/detail/CVE-2026-22792

Severity

9.6

CVSS Score

Basic Information

Ecosystem

Base CVSS

9.6

EPSS Probability

0.00257%

EPSS Percentile

0.48775%

Introduced Version

Fix Available

5acf7edc387d1f18a00555bbd1f5d9b9718d2eaa

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2026-22792

CVE-2026-22792

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

9.6

Basic Information

Fix Critical Vulnerabilities Instantly