Description
5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe option parsing vulnerability in the ECharts Markdown plugin allows any user able to submit ECharts code blocks to execute arbitrary JavaScript code in the renderer context. This can lead to Remote Code Execution (RCE) in environments where privileged APIs (such as Electron’s electron.mcp) are exposed, resulting in full compromise of the host system. Version 0.15.3 patches the issue.
Published: 2026-01-21
Score: 9.7 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The issue arises from unsafe option parsing within the ECharts Markdown plugin bundled with 5ire. Any entity that can supply an ECharts code block is able to inject arbitrary JavaScript into the renderer process. The injected code runs with the privileges granted to the Electron renderer, which in many deployments includes full access to system APIs such as electron.mcp. Consequently, an attacker can execute arbitrary commands on the host, achieving full system compromise.

Affected Systems

Affected systems are installations of the 5ire desktop application produced by the vendor nanbingxyz. The vulnerability exists in all releases prior to version 0.15.3; any user running an earlier build who can submit Markdown content that contains an ECharts block is at risk.

Risk and Exploitability

The CVSS score of 9.7 marks this flaw as critical, and the EPSS score of less than 1% indicates that exploitation is currently rare. The vulnerability is not listed in CISA’s KEV catalogue, but the high severity and the possibility of remote code execution make it a priority target for attackers. Exploitation requires the ability to place ECharts code in the renderer, and only systems that expose privileged APIs (e.g., Electron’s electron.mcp) provide the full blast radius. In the absence of those APIs the risk is lower, yet still significant for privileged contexts.

Generated by OpenCVE AI on April 18, 2026 at 04:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 0.15.3 or later to remove the unsafe parsing logic.
  • Disable or remove the ECharts Markdown plugin if the application does not require it, thereby reducing the attack surface.
  • Restrict privilege exposure in the Electron renderer by disabling electron.mcp or configuring the context bridge to expose only the minimal set of APIs required.
  • Sanitize or validate incoming Markdown content to reject or escape any ECharts code blocks before rendering.

Generated by OpenCVE AI on April 18, 2026 at 04:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared 5ire
5ire 5ire
CPEs cpe:2.3:a:5ire:5ire:*:*:*:*:*:*:*:*
Vendors & Products 5ire
5ire 5ire

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Nanbingxyz
Nanbingxyz 5ire
Vendors & Products Nanbingxyz
Nanbingxyz 5ire

Wed, 21 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Description 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe option parsing vulnerability in the ECharts Markdown plugin allows any user able to submit ECharts code blocks to execute arbitrary JavaScript code in the renderer context. This can lead to Remote Code Execution (RCE) in environments where privileged APIs (such as Electron’s electron.mcp) are exposed, resulting in full compromise of the host system. Version 0.15.3 patches the issue.
Title 5ire vulnerable to Remote Code Execution (RCE) via ECharts
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

5ire 5ire
Nanbingxyz 5ire
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-21T21:26:07.121Z

Reserved: 2026-01-09T18:27:19.389Z

Link: CVE-2026-22793

cve-icon Vulnrichment

Updated: 2026-01-21T21:26:04.041Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T21:16:10.107

Modified: 2026-01-29T19:58:16.513

Link: CVE-2026-22793

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:15:05Z

Weaknesses