What is CVE-2026-22792?

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML (including on* event attributes) to execute in the renderer context. An attacker can inject an ` ` payload to run arbitrary JavaScript in the renderer, which can call exposed bridge APIs such as `window.bridge.mcpServersManager.createServer`. This enables unauthorized creation of MCP servers and lead to remote command execution. Version 0.15.3 fixes the issue.

What is the severity of CVE-2026-22792?

CVE-2026-22792 has a CVSS v3 score of 9.6, which is classified as Critical severity.

Is there an exploit available for CVE-2026-22792?

No known public exploits are currently available for CVE-2026-22792.

Is there a patch available for CVE-2026-22792?

No official patches have been released yet for CVE-2026-22792. Consider implementing workarounds or mitigations.

CVE-2026-22792 - CVE Details, Severity, and Analysis

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML (including on* event attributes) to execute in the renderer context. An attacker can inject an <img onerror=...> payload to run arbitrary JavaScript in the renderer, which can call exposed bridge APIs such as window.bridge.mcpServersManager.createServer. This enables unauthorized creation of MCP servers and lead to remote command execution. Version 0.15.3 fixes the issue.