CVE-2026-22792

Name of the Vulnerable Software and Affected Versions 5ire versions prior to 0.15.3

Description 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, unsafe HTML rendering allows untrusted HTML, including on* event attributes, to execute within the renderer context. An attacker can inject an <img onerror=...> payload to execute arbitrary JavaScript in the renderer. This JavaScript can call exposed bridge APIs, such as window.bridge.mcpServersManager.createServer, potentially leading to unauthorized creation of MCP servers and remote command execution.

Recommendations Update to version 0.15.3 or later.