CVE-2026-22793
BaseFortify
Publication date: 2026-01-21
Last updated on: 2026-01-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 5ire | 5ire | to 0.15.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a critical Remote Code Execution (RCE) flaw in the ECharts Markdown plugin used by 5ire. It occurs because the plugin uses JavaScript's `new Function` constructor to parse user-supplied ECharts options without proper sanitization. This unsafe option parsing allows an attacker who can submit ECharts code blocks to inject and execute arbitrary JavaScript code in the renderer context. If the environment exposes privileged APIs (like Electron's electron.mcp), this can lead to full system compromise. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to remotely execute arbitrary code on your system without needing any privileges. This can lead to full compromise of the host system, including unauthorized access, data theft, or control over the affected machine. The attack requires user interaction but has low complexity and can be triggered remotely via network. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying if the vulnerable versions of the ECharts Markdown plugin (up to 0.15.1) are in use and monitoring for suspicious JavaScript code execution within ECharts code blocks. Since the vulnerability arises from unsafe use of `new Function` on user input, you can search for ECharts code blocks containing suspicious or unexpected JavaScript code patterns. Additionally, monitoring Electron applications for unexpected calls to privileged APIs like `electron.mcp` may help detect exploitation attempts. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the ECharts Markdown plugin to version 0.15.3 or later, where the vulnerability is patched. Additionally, avoid using `new Function`, `eval`, or any dynamic code execution methods on user-controlled input to prevent arbitrary code execution. Restrict exposure of privileged APIs such as Electron's `electron.mcp` to untrusted code to reduce risk. [1]