CVE-2026-22792

CVE-2026-22792 is a high-severity vulnerability (CVSS v3.1 score of 9.6, AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) affecting 5ire, a cross-platform desktop artificial intelligence assistant and model context protocol client, in versions prior to 0.15.3. The issue arises from unsafe HTML rendering that permits untrusted HTML, including on* event attributes, to execute arbitrary JavaScript directly in the renderer context (CWE-116).

A remote attacker can exploit this by injecting a payload such as an <img onerror=...> tag, which triggers JavaScript execution in the renderer. This allows the attacker to call exposed bridge APIs, for example window.bridge.mcpServersManager.createServer, enabling unauthorized creation of MCP servers and ultimately leading to remote command execution on the victim's machine. Exploitation requires user interaction, such as rendering malicious content, but needs no privileges.

The vulnerability is fixed in version 0.15.3 of 5ire. Security practitioners should update to this version immediately. Additional details are available in the GitHub security advisory (https://github.com/nanbingxyz/5ire/security/advisories/GHSA-p5fm-wm8g-rffx) and release notes (https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3).

As an AI assistant handling model context protocols, 5ire's exposure underscores risks in desktop AI applications where renderer-process interactions can escalate to system compromise. No public evidence of real-world exploitation is noted as of the CVE publication on 2026-01-21.