CVE-2026-23523
published 2026-01-16CVE-2026-23523: Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an…
PriorityP260high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
6.30%
92.7th percentile
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim’s machine. This vulnerability is fixed in 0.13.0.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openagentplatform | dive | < 0.13.0 | 0.13.0 |
Detection & IOCsextracted from sources · hover to see the quote
- ·A public exploit is reported to exist for this vulnerability, increasing urgency for detection and patching of Dive versions prior to 0.13.0. ↗
- ·The fix was added to Homebrew and Nix package managers on February 11, 2026; environments relying on these package managers should verify they have pulled the updated version. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-66580 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2025-66580 [HIGH] CVE-2025-66580 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66580 :
Dive vulnerability analysis and mitigation
javascript:
Source : NVD
## 9.6
Score
Published December 19, 2025
Severity CRITICAL
CNA Score 9.6
Affected Technologies
Dive
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 50.3
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
dive
Sources
NVD
Homebrew Severity CRITICAL Has Fix Added at: Jan 04, 2026
Nix Severity CRITICAL Has Fix Added at: Jan 04, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Dive vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploi
Wiz
CVE-2026-23523 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2026-23523 [HIGH] CVE-2026-23523 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23523 :
Dive vulnerability analysis and mitigation
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim’s machine. This vulnerability is fixed in 0.13.0.
Source : NVD
## 8.8
Score
Published January 16, 2026
Severity HIGH
CNA Score 9.6
Affected Technologies
Dive
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dive
Sources
NVD
Homebrew Severity HIGH Has Fix
2026-01-16
Published