CVE-2025-58766CRITICAL 9.0EPSS p32.2%

CVE-2025-58766CVE-2025-58766

Description

Dyad is a local AI app builder. A critical security vulnerability has been discovered that affected Dyad v0.19.0 and earlier versions that allows attackers to execute arbitrary code on users' systems. The vulnerability affects the application's preview window functionality and can bypass Docker container protections. An attacker can craft web content that automatically executes when the preview loads. The malicious content can break out of the application's security boundaries and gain control of the system. This has been fixed in Dyad v0.20.0 and later.

Scoring

CVSS 3.19.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS0.41% probability of exploitation · percentile 32.2% · 2026-06-19T12:03:05Z
Published2025-09-17
Last modified2026-04-15

Underlying weaknesses· 1

CWE-94

References

  1. https://github.com/dyad-sh/dyad/commit/1c0255ab126d3b38ae9e78b17cdab9a07e5f0185
  2. https://github.com/dyad-sh/dyad/commit/ebcf89ee6cead83a33add5ef1e19c8d4f9b4ce9b
  3. https://github.com/dyad-sh/dyad/security/advisories/GHSA-7fxm-c5xx-7vpq

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-55319
CVE
CVE-2025-53825
CVE
CVE-2025-65716
CVE
CVE-2026-10175
CVE
CVE-2026-36576
CVE
CVE-2025-63665
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.