CVE-2025-66562

Name of the Vulnerable Software and Affected Versions TUUI versions prior to 1.3.4

Description TUUI is a desktop MCP client designed as a tool unitary utility integration. A critical Remote Code Execution (RCE) issue exists due to an unsafe Cross-Site Scripting (XSS) flaw in the Markdown rendering component. TUUI allows the execution of arbitrary JavaScript within ECharts code blocks. Combined with an exposed IPC interface that allows spawning processes, an attacker can execute arbitrary system commands on a victim’s machine by having them view a malicious Markdown message. The vulnerable component is the Markdown rendering component, specifically when processing ECharts code blocks.

Recommendations Versions prior to 1.3.4 should be updated to version 1.3.4 or later.