CVE-2026-22793

CVE-2026-22793 is an unsafe option parsing vulnerability in the ECharts Markdown plugin of 5ire, a cross-platform desktop artificial intelligence assistant and model context protocol client. Versions of 5ire prior to 0.15.3 are affected, enabling attackers to execute arbitrary JavaScript code in the renderer context when malicious ECharts code blocks are submitted. This issue is classified under CWE-94 (Improper Control of Generation of Code) with a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

Any user capable of submitting ECharts code blocks—such as through shared documents, chats, or inputs processed by 5ire—can exploit the vulnerability. Successful exploitation allows arbitrary JavaScript execution in the renderer process, potentially escalating to remote code execution (RCE) in Electron-based environments where privileged APIs like electron.mcp are exposed, resulting in full compromise of the host system including high confidentiality, integrity, and availability impacts.

Version 0.15.3 of 5ire patches the vulnerability by addressing the unsafe option parsing. Security practitioners should update to this version immediately. Additional details are available in the GitHub release notes at https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3 and the security advisory at https://github.com/nanbingxyz/5ire/security/advisories/GHSA-wg3x-7c26-97wj.

This vulnerability underscores security risks in AI desktop applications leveraging web rendering components like ECharts and Electron, where user-submitted content can bridge to system-level access. No public evidence of real-world exploitation has been reported as of the CVE publication on 2026-01-21.