CVE-2026-22792
BaseFortify
Publication date: 2026-01-21
Last updated on: 2026-01-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 5ire | 5ire | to 0.15.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the 5ire application allows an attacker to inject unsafe HTML containing event handler attributes like 'onerror' into the renderer context. Specifically, an attacker can inject an <img> tag with an onerror event that executes arbitrary JavaScript. This JavaScript can call exposed bridge APIs such as window.bridge.mcpServersManager.createServer, enabling unauthorized creation of MCP servers and leading to remote command execution on the affected system. [2]
How can this vulnerability impact me? :
The vulnerability can be exploited remotely without any privileges and requires only user interaction. It allows an attacker to execute arbitrary code on the affected system, leading to unauthorized creation of MCP servers. This results in a critical impact on confidentiality, integrity, and availability of the system, potentially allowing full remote control and disruption of services. [2]
What immediate steps should I take to mitigate this vulnerability?
Upgrade the 5ire software to version 0.15.3 or later, as this version includes a fix for the unsafe HTML rendering vulnerability that allows remote code execution. [1, 2]