CVE-2026-22793
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-21

Last updated on: 2026-01-29

Assigner: GitHub, Inc.

Description
5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe option parsing vulnerability in the ECharts Markdown plugin allows any user able to submit ECharts code blocks to execute arbitrary JavaScript code in the renderer context. This can lead to Remote Code Execution (RCE) in environments where privileged APIs (such as Electron’s electron.mcp) are exposed, resulting in full compromise of the host system. Version 0.15.3 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-01-29
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22793
EUVD
EUVD-2026-3779
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
5ire 5ire to 0.15.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a critical Remote Code Execution (RCE) flaw in the ECharts Markdown plugin used by 5ire. It occurs because the plugin uses JavaScript's `new Function` constructor to parse user-supplied ECharts options without proper sanitization. This unsafe option parsing allows an attacker who can submit ECharts code blocks to inject and execute arbitrary JavaScript code in the renderer context. If the environment exposes privileged APIs (like Electron's electron.mcp), this can lead to full system compromise. [1]

Impact Analysis

If exploited, this vulnerability can allow an attacker to remotely execute arbitrary code on your system without needing any privileges. This can lead to full compromise of the host system, including unauthorized access, data theft, or control over the affected machine. The attack requires user interaction but has low complexity and can be triggered remotely via network. [1]

Detection Guidance

Detection involves identifying if the vulnerable versions of the ECharts Markdown plugin (up to 0.15.1) are in use and monitoring for suspicious JavaScript code execution within ECharts code blocks. Since the vulnerability arises from unsafe use of `new Function` on user input, you can search for ECharts code blocks containing suspicious or unexpected JavaScript code patterns. Additionally, monitoring Electron applications for unexpected calls to privileged APIs like `electron.mcp` may help detect exploitation attempts. Specific commands are not provided in the resources. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the ECharts Markdown plugin to version 0.15.3 or later, where the vulnerability is patched. Additionally, avoid using `new Function`, `eval`, or any dynamic code execution methods on user-controlled input to prevent arbitrary code execution. Restrict exposure of privileged APIs such as Electron's `electron.mcp` to untrusted code to reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22793. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart