Arbitrary Code Execution Vulnerability in Dyad by Dyad
CVE-2025-58766

9.1CRITICAL

Key Information:

Vendor: Dyad-sh
Status: Dyad
Vendor: CVE Published:; 17 September 2025

What is CVE-2025-58766?

A notable security flaw has been identified in the Dyad application which is a local AI app builder. The vulnerability affects version v0.19.0 and previous releases, allowing malicious actors to execute arbitrary code on devices running the application. The core issue lies within the application's preview window functionality, which can be exploited to bypass Docker container security measures. By creating malicious web content that executes automatically upon loading the preview, an attacker can penetrate the application's security layers, effectively gaining control of the affected system. Users are strongly advised to upgrade to Dyad v0.20.0 or later to mitigate this risk.

Affected Version(s)

dyad < 0.20.0

References

https://github.com/dyad-sh/dyad/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/dyad-sh/dyad/commit/1c0255ab126d3b38ae...

x_refsource_MISC

https://github.com/dyad-sh/dyad/commit/ebcf89ee6cead83a33...

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 17, 2025
Vulnerability Reserved
Sep 4, 2025

Dyad-sh

What is CVE-2025-58766?

Affected Version(s)

References

CVSS V3.1

Timeline