CVE-2025-66562

HIGH EPSS 34.3%
Published Dec 5, 20256mo ago · Modified Jun 17, 20261w ago
8.9 CVSS 4.0
High
Find Similar
Published Dec 5, 2025 6mo ago
Last Modified Jun 17, 2026 1w ago

Description

TUUI is a desktop MCP client designed as a tool unitary utility integration. Prior to 1.3.4, a critical Remote Code Execution (RCE) vulnerability exists in Tuui due to an unsafe Cross-Site Scripting (XSS) flaw in the Markdown rendering component. Tuui allows the execution of arbitrary JavaScript within ECharts code blocks. Combined with an exposed IPC interface that allows spawning processes, an attacker can execute arbitrary system commands on the victim's machine simply by having them view a malicious Markdown message. This vulnerability is fixed in 1.3.4.

CVSS Details

Base Score
8.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
34.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-79 Cross-site Scripting Injection
CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 1

VendorProductVersionRange
aiqltuui* <1.3.4

References 3

  • github.com https://github.com/AI-QL/tuui/commit/f673fa5b4d76e8236c7d9506d0727875cfa79cc1
    Patch
  • github.com https://github.com/AI-QL/tuui/releases/tag/v1.3.4
    ProductRelease Notes
  • github.com https://github.com/AI-QL/tuui/security/advisories/GHSA-qjhq-rgmr-6c3g
    PatchVendor Advisory

Remediation

  • github.com https://github.com/AI-QL/tuui/commit/f673fa5b4d76e8236c7d9506d0727875cfa79cc1
    Patch
  • github.com https://github.com/AI-QL/tuui/security/advisories/GHSA-qjhq-rgmr-6c3g
    PatchVendor Advisory