Remote Code Execution in TUUI Desktop Client from AI-QL
CVE-2025-66562

8.9HIGH

Key Information:

Vendor

Ai-ql

Status
Tuui
Vendor
CVE Published:
5 December 2025

What is CVE-2025-66562?

The TUUI desktop client, developed by AI-QL, contains a serious vulnerability due to an unsafe Cross-Site Scripting (XSS) flaw present in its Markdown rendering component before version 1.3.4. This weakness allows an attacker to execute arbitrary JavaScript code within ECharts code blocks by crafting a malicious Markdown message. If a user views this message, the exposed IPC interface can be exploited, enabling the attacker to run unauthorized system commands on the victim's machine. Users are advised to upgrade to version 1.3.4 or later to protect against this vulnerability.

Affected Version(s)

tuui < 1.3.4

References

https://github.com/AI-QL/tuui/security/advisories/GHSA-qj...
x_refsource_CONFIRM
https://github.com/AI-QL/tuui/commit/f673fa5b4d76e8236c7d...
x_refsource_MISC
https://github.com/AI-QL/tuui/releases/tag/v1.3.4
x_refsource_MISC

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-66562 : Remote Code Execution in TUUI Desktop Client from AI-QL