CVE-2026-22792

Summary

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML (including on* event attributes) to execute in the renderer context. An attacker can inject an <img onerror=...> payload to run arbitrary JavaScript in the renderer, which can call exposed bridge APIs such as window.bridge.mcpServersManager.createServer. This enables unauthorized creation of MCP servers and lead to remote command execution. Version 0.15.3 fixes the issue.

Affected Software

VendorProductVersion RangeStatus
nanbingxyz5ire< 0.15.3affected

Weaknesses

  • CWE-116: CWE-116: Improper Encoding or Escaping of Output

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References