Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2026-22792

Good to know:

icon
icon

Date: January 21, 2026

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML (including on* event attributes) to execute in the renderer context. An attacker can inject an "<img onerror=...>" payload to run arbitrary JavaScript in the renderer, which can call exposed bridge APIs such as "window.bridge.mcpServersManager.createServer". This enables unauthorized creation of MCP servers and lead to remote command execution. Version 0.15.3 fixes the issue.

Severity Score

Related Resources (4)

https://github.com/nanbingxyz/5ire/security/advisories/GHSA-p5fm-wm8g-rffx
https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3
https://nvd.nist.gov/vuln/detail/CVE-2026-22792
https://www.mend.io/vulnerability-database/CVE-2026-22792

Severity Score

Weakness Type (CWE)

Improper Encoding or Escaping of Output

CWE-116

Top Fix

icon

Upgrade Version

Upgrade to version https://github.com/nanbingxyz/5ire.git - v0.15.3

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us