CVE-2026-22793 — AI Deep Analysis Summary

🚨 **Essence**: 5ire (v0.15.3-) has a **Code Injection** flaw in its ECharts Markdown plugin. <br>💥 **Consequences**: Attackers can execute **Arbitrary JavaScript** leading to **Remote Code Execution (RCE)**.…

🛡️ **CWE-94**: Improper Control of Generation of Code ('Code Injection'). <br>🔍 **Flaw**: Unsafe option parsing in the **ECharts Markdown plugin**. Malicious code blocks are not sanitized before execution.

📦 **Vendor**: nanbingxyz. <br>💻 **Product**: 5ire (Cross-platform Desktop AI Assistant). <br>⚠️ **Affected**: Versions **prior to 0.15.3**. Fixed in v0.15.3.

🕵️ **Privileges**: Full **Remote Code Execution (RCE)**. <br>📂 **Data**: Complete access to system resources. CVSS Score indicates **High** impact on all security triads (C:H, I:H, A:H).

🔓 **Threshold**: **Low** (AC:L). <br>👤 **Auth**: **None Required** (PR:N). <br>👀 **UI**: **Required** (UI:R) – Victim must submit/view the malicious ECharts code block. Network accessible (AV:N).

📜 **Public Exp?**: **No PoCs** listed in data. <br>🌐 **Wild Exp**: Unconfirmed.…

🔍 **Self-Check**: Verify 5ire version. <br>🚫 **Feature**: Check for **ECharts Markdown** usage. <br>🛠️ **Scan**: Look for unsanitized JavaScript execution in markdown-rendered charts. Update immediately if < v0.15.3.

✅ **Fixed**: **Yes**. <br>🔧 **Patch**: Upgrade to **v0.15.3** or later.…

🚧 **No Patch Workaround**: <br>1️⃣ **Disable** ECharts Markdown plugin if possible. <br>2️⃣ **Restrict** input: Do not render untrusted Markdown with code blocks. <br>3️⃣ **Isolate**: Run 5ire in a sandboxed environment.

🔥 **Urgency**: **HIGH**. <br>📅 **Priority**: Patch immediately. <br>⚖️ **Reason**: CVSS 3.1 Vector shows **Critical** potential (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). RCE via simple UI interaction is dangerous.