Unrated severityOSV Advisory· Published Jan 21, 2026· Updated Jan 21, 2026

5ire vulnerable to Remote Code Execution (RCE)

CVE-2026-22792

Description

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML (including on* event attributes) to execute in the renderer context. An attacker can inject an <img onerror=...> payload to run arbitrary JavaScript in the renderer, which can call exposed bridge APIs such as window.bridge.mcpServersManager.createServer. This enables unauthorized creation of MCP servers and lead to remote command execution. Version 0.15.3 fixes the issue.

Affected products

Nanbingxyz/5ireOSV
Range: v0.10.1, v0.11.0, v0.11.1, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/nanbingxyz/5ire/releases/tag/v0.15.3mitrex_refsource_MISC
github.com/nanbingxyz/5ire/security/advisories/GHSA-p5fm-wm8g-rffxmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000