CVE-2025-58766
BaseFortify
Publication date: 2025-09-17
Last updated on: 2025-09-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dyad | dyad | 0.19.0 |
| dyad | dyad | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Dyad (version 0.19.0 and earlier) allows attackers to execute arbitrary code on users' systems by exploiting the application's preview window functionality. An attacker can craft malicious web content that automatically runs when the preview loads, bypassing Docker container protections and breaking out of the application's security boundaries to gain control of the system. The issue has been fixed in Dyad version 0.20.0 and later.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute arbitrary code on your system, potentially gaining full control over it. This can lead to data theft, system compromise, disruption of services, or further attacks within your environment.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Dyad to version 0.20.0 or later, as this version contains the fix for the critical security issue.