Description

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML (including on* event attributes) to execute in the renderer context. An attacker can inject an `<img onerror=...>` payload to run arbitrary JavaScript in the renderer, which can call exposed bridge APIs such as `window.bridge.mcpServersManager.createServer`. This enables unauthorized creation of MCP servers and lead to remote command execution. Version 0.15.3 fixes the issue.

INFO

Published Date :

2026-01-21T20:54:18.108Z

Last Modified :

2026-01-21T21:26:47.676Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-22792 vulnerability.

Vendors Products
5ire
  • 5ire
Nanbingxyz
  • 5ire
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-22792.

URL Resource
https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3 cve-icon cve-icon
https://github.com/nanbingxyz/5ire/security/advisories/GHSA-p5fm-wm8g-rffx cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact