Critical Vulnerability Information Vulnerability Overview Vulnerability Name: Remote Code Execution via Preview Window Severity: Critical (9.1/10) CVE ID: CVE-2025-58766 Affected Versions: <=0.19.0 Fixed Version: 0.20.0 Description Vulnerability Summary: Dyad RCE Vulnerability Summary - A critical security vulnerability has been discovered in Dyad v0.19.0 and earlier versions, allowing attackers to execute arbitrary code on users' systems. The vulnerability affects the application's preview window functionality and can bypass Docker container protections. How It Works The vulnerability is triggered when malicious content is displayed in Dyad’s preview window. Attackers can craft web content that automatically executes upon loading in the preview. This malicious content can break through the application’s security boundaries and take control of the system. Attack Scenarios Malicious Templates: Distribution of compromised templates via Dyad’s community template system. Indirect Prompt Injection: Embedding malicious content in external sources that users may reference. Impact Remote Code Execution: Attackers can run arbitrary commands on the victim’s computer. Container Escape: The vulnerability bypasses Docker protections, affecting the host system even if Dyad is running in a container. Affected Users Any user of Dyad v0.19.0 or earlier who previews web applications containing untrusted content. This includes users importing community templates or working with external content sources. Mitigation The issue has been fixed in Dyad v0.20.0 and later versions. Please upgrade to the latest version as soon as possible: - Download Link Acknowledgments Thank you to @jackfromeast and @Suuuuuzy for their responsible disclosure, including proof-of-concept demonstrations and guidance on the fix.