CVE-2026-22792 CRITICAL

CVE-2026-22792: 5ire vulnerable to Remote Code Execution (RCE)

Vendor Nanbingxyz
Product 5ire
Weakness CWE-116
Published January 21, 2026
Last update January 21, 2026

CVSS base score

9.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML (including on* event attributes) to execute in the renderer context. An attacker can inject an `<img onerror=...>` payload to run arbitrary JavaScript in the renderer, which can call exposed bridge APIs such as `window.bridge.mcpServersManager.createServer`. This enables unauthorized creation of MCP servers and lead to remote command execution. Version 0.15.3 fixes the issue.

Key dates

02Disclosure timeline

January 21, 2026 CVE published
January 21, 2026 Record updated