CVE-2025-47777CRITICAL 9.6EPSS p51.9%

CVE-2025-47777CVE-2025-47777

Description

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Versions prior to 0.11.1 are vulnerable to stored cross-site scripting in chatbot responses due to insufficient sanitization. This, in turn, can lead to Remote Code Execution (RCE) via unsafe Electron protocol handling and exposed Electron APIs. All users of 5ire client versions prior to patched releases, particularly those interacting with untrusted chatbots or pasting external content, are affected. Version 0.11.1 contains a patch for the issue.

Scoring

CVSS 3.19.6 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS0.80% probability of exploitation · percentile 51.9% · 2026-06-18T12:00:27Z
Published2025-05-14
Last modified2026-01-22

Underlying weaknesses· 2

CWE-20CWE-79

References

  1. https://github.com/nanbingxyz/5ire/commit/56601e012095194a4be0d4cb6da6b5b3cb53dea8
  2. https://github.com/nanbingxyz/5ire/security/advisories/GHSA-mr8w-mmvv-6hq8
  3. https://positive.security/blog/url-open-rce
  4. https://shabarkin.notion.site/1-click-RCE-in-Electron-Applications-501c2e96e7934610979cd3c72e844a22
  5. https://www.electronjs.org/docs/latest/tutorial/security
  6. https://www.youtube.com/watch?v=ROFYhS9E9eU

2

TypeTargetConfidenceTier
WeaknessImproper Input Validationcwe-200%live
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-58357
CVE
CVE-2026-22793
CVE
CVE-2026-22792
CVE
CVE-2025-68669
CVE
CVE-2025-67744
CVE
CVE-2025-66222
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.