How to fix EUVD-2025-201459?

Within 24 hours: Identify all TUUI installations across the organization and disable or restrict TUUI usage until patching is complete; notify affected users of the risk. Within 7 days: Test TUUI version 1.3.4 in a controlled environment and deploy the patch to all systems; verify no instances of versions prior to 1.3.4 remain in use. Within 30 days: Conduct a security audit of all systems where TUUI was used to detect any signs of compromise or unauthorized access; review logs for suspicious activity related to TUUI usage during the vulnerable period.

Is Tuui affected by EUVD-2025-201459?

TUUI desktop client versions prior to 1.3.4 contain a critical remote code execution vulnerability that allows attackers to execute arbitrary system commands on user machines through malicious Markdown messages.

EUVD-2025-201459

| CVE-2025-66562 CRITICAL

2025-12-05 [email protected]

9.6

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 17:08 euvd

EUVD-2025-201459

Analysis Generated

Mar 15, 2026 - 17:08 vuln.today

CVE Published

Dec 05, 2025 - 18:15 nvd

CRITICAL 9.6

Description

TUUI is a desktop MCP client designed as a tool unitary utility integration. Prior to 1.3.4, a critical Remote Code Execution (RCE) vulnerability exists in Tuui due to an unsafe Cross-Site Scripting (XSS) flaw in the Markdown rendering component. Tuui allows the execution of arbitrary JavaScript within ECharts code blocks. Combined with an exposed IPC interface that allows spawning processes, an attacker can execute arbitrary system commands on the victim's machine simply by having them view a malicious Markdown message. This vulnerability is fixed in 1.3.4.

Analysis

TUUI is a desktop MCP client designed as a tool unitary utility integration.

Technical Context

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

Affected Products

Affected products: Aiql Tuui

Remediation

Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.4

CVSS: +48

POC: 0

EUVD-2025-201459 vulnerability details – vuln.today

Back

EUVD-2025-201459

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-201459

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code