CVE-2025-66580
published 2025-12-19CVE-2025-66580: Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS)…
PriorityP353critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
0.48%
37.7th percentile
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary JavaScript via `javascript:`. An attacker can exploit this to inject a malicious Model Context Protocol (MCP) server configuration, leading to Remote Code Execution (RCE) on the victim's machine when the node is clicked. Version 0.11.1 fixes the issue.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openagentplatform | dive | < 0.11.1 | 0.11.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-66580 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2025-66580 [HIGH] CVE-2025-66580 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66580 :
Dive vulnerability analysis and mitigation
javascript:
Source : NVD
## 9.6
Score
Published December 19, 2025
Severity CRITICAL
CNA Score 9.6
Affected Technologies
Dive
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 50.3
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
dive
Sources
NVD
Homebrew Severity CRITICAL Has Fix Added at: Jan 04, 2026
Nix Severity CRITICAL Has Fix Added at: Jan 04, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Dive vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploi
Wiz
CVE-2026-23523 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2026-23523 [HIGH] CVE-2026-23523 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23523 :
Dive vulnerability analysis and mitigation
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim’s machine. This vulnerability is fixed in 0.13.0.
Source : NVD
## 8.8
Score
Published January 16, 2026
Severity HIGH
CNA Score 9.6
Affected Technologies
Dive
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dive
Sources
NVD
Homebrew Severity HIGH Has Fix
2025-12-19
Published